Making information security everybody’s business

Information security is a vital element of corporate and IT governance and risk management. Secure organizations confidently pursue new business opportunities that would be too risky for their insecure peers. Simply put, good security is good business. Find out what makes security awareness so important in our popular white paper on the value of security awareness.

Creative security awareness content from NoticeBored

NoticeBored is our innovative information security awareness content service. We supply security awareness materials for your staff, managers and IT professionals, covering a fresh security topic each month. Use our high quality, engaging materials and bags of creative energy to kick-start your information security awareness program, and build a genuine, widespread and deep-rooted security culture by:

• Informing employees about current information security risks, illustrating them through topical news stories about real-world incidents;
• Providing, explaining and promoting commonsense security policies, standards, procedures and guidelines, incorporating and describing a broad range of good practice security controls;
• Describing information security roles, activities and obligations, promoting accountability and responsibility, and promoting compliance as something that benefits both the individual and the organization;
• Encouraging employees to think and talk about information security;
• Gaining employees’ active participation in the organization’s security infrastructure, going beyond simply ‘being aware’ by motivating employees to act more securely;
• Measuring progress on security awareness - testing knowledge, comparing parts of the business and generating metrics to drive security improvements;
• Most of all, making information security a subconscious habit - ‘the way we do things here’.

Read on to find out all about NoticeBored or download the product data sheet for the edited highlights.

Next generation seductive security awareness

Information security awareness is what we do. We are proud to have been acknowledged as a “best practice expert” in security awareness by ENISA, the European Network and Information Security Agency, alongside Gartner no less. Our Business Case for an Information Security Awareness Program contributed to ENISA’s Users’ Guide: How to Raise Information Security Awareness. The Users’ Guide expands considerably on our white paper with helpful advice to small companies on how to plan and establish security awareness programs.

While we don’t sell security technologies such as antivirus and firewalls, we have absolutely no problem with organizations using them as part of their information security management systems. NoticeBored fills in the gaps, tackling the human factors - those awkward and ill-defined issues that technology alone cannot solve.  But the best kept secret is that we also support and leverage those very same technologies by helping IT professionals appreciate their part in the bigger picture. Do your IT people understand the pivotal role they play in information security? Or is security just another barrier to them, something to be bypassed or avoided?

Chris Potter, the driving force behind the biannual UK information security breaches survey, described security awareness as one of the biggest issues in the survey. “[T]he survey shows that staff are increasingly targeted by social engineering attacks (where outsiders try to obtain confidential information from employees). In addition, businesses are becoming increasingly concerned about what is being said about them on social networking sites (such as MySpace, Facebook and Bebo), and some staff have posted confidential information on these sites. This is a pretty dangerous combination. Fortunately, there is some good news. Companies are hardening their technical controls. For example, use of strong (i.e. multi-factor) authentication has nearly doubled since 2006. In addition, the proportion of companies that have an information security policy has quadrupled over the last eight years. Most companies take active steps to tell their staff about their security policy and the risks they face. However, companies are realising that increasing security awareness is only part of the answer.  The critical issue is changing people’s actual behaviour.  Too many users have a ‘click mentality’ - they become blind to warning pop-up boxes and do what expedites their current activity rather than what they know they ought to. It is a bit like the road speed limit - everyone knows they shouldn’t speed, but many people go ahead and do so. So, the agenda seems to be moving on from simple ‘first generation’ security awareness and onto ‘the next generation’ of behavioural change. Many information security specialists, while knowledgeable about policy and technical issues, lack the skills to deliver true behavioural change into their businesses. Only by working with other specialists, such as the marketing and HR functions, and by embedding security into the mantra of the middle manager, will businesses realise the benefits of a security-aware culture.” Hear hear Chris!

Achieving genuine deep-rooted cultural change is the central aim of NoticeBored. Our approach goes well beyond those dreadful first generation annual security awareness sessions, promoting information security continually through creative materials and year-round activities. We actively encourage customer employees to liaise with colleagues in HR, IT, Legal, Risk Management and Compliance functions, while exploiting techniques used in marketing and advertising to extend the program’s reach, moving from broadcasting information at employees to engaging them as part of the solution. Find out lots more about NoticeBored in this section of the website.