Security Awareness Plan

It seems every day the news reports on yet another security breach. Is your company prepared? Your best practice solution is to establish a Security Awareness Plan (SAP) that fits your business and industry needs.

So, what is a Security Awareness Plan? A SAP is a policy outlining your company strategy for protecting employees, proprietary and customer information, both virtually and physically. The policy may include information such as who is the contact for security issues, employee training needs and a checklist to use as a guide. Security awareness is not a one-off discussion; it is an on-going conversation that includes regular employee training and review of the overall security plan.

Regardless of industry, there is no excuse in our current world to claim ignorance when it comes to the possibility of cybercrime. Not only is it important to protect your business:  the employees, customers and any proprietary information, but “[i]n the wake of data breaches among US retailers, many believe the risk of legal liability and costly lawsuits will escalate. Today, claims by businesses that they are unaware of cybercrime risks and the need to invest in updated cybersecurity safeguards have become increasingly unconvincing.”[1] The level of security required for your company will differ – dependent on industry and other factors, but absolutely every company needs to have a security awareness plan.  A key component of any plan will be training your employees to be aware not only of the potential dangers but what their responsibilities are toward helping prevent security breaches.

In the 2014 State of US Cybercrime Survey, Price Waterhouse Coopers found the financial impact security awareness training made on new hires was significant. The average financial loss for new hires who received NO security training was $683,000; when new hires received training the loss dropped to $162,000.[2] Just a few examples of topics for employee training: mobile device security, avoiding malware, secure practices for working remotely, social media use and secure email practices (including phishing) and impact of unauthorized access.

Not only do employees need training and insight, but management is a key partner in any security plan. “For a security awareness program to succeed, it must study the company’s culture and use appropriate methods of communication.”[3] It takes time to establish and maintain a Security Awareness Plan, but it is a critical requirement for any company. Management needs to understand the importance and need for regular and appropriate security training and review.  A management team that is not wholly on board with the process and its necessity can have negative implications on its implementation and maintenance. Depending on your particular industry requirements, a lack of support from the management level could have negative implications on contracts or certifications that require regular security training and review. HIPAA and Industrial Security for government contractors are just two examples of circumstances where lack of training could result in the loss of contracts or certifications.

If your business does not have a Security Awareness Plan there are simple and straightforward best practice methods to get one established. If you do have a plan, but have not reviewed it recently or done any ongoing training with your employees – it’s time. Please call us today with questions, we are here to help!

[1] 2014 US State of Cybercrime Survey, PriceWaterhouseCoopers p. 10

[2] 2014 US State of Cybercrime Survey, PriceWaterhouseCoopers p. 14

[3] Rashid, Fahmida. (December 2014). “Is Security Awareness Training Worth It?” Tech Digest. P6