Security awareness in perpetuity

To protect against cyber security threats, every organization should view their workforce as the first line of defense. After all, many security incidents are caused by human errors, such as becoming a victim of a phishing attack, sharing sensitive information with the wrong recipient, or accidently installing a virus on a shared drive. No matter how many organizational and technical protection measures are in place, human errors can never be entirely ruled out. Therefore the workforce is an essential line of defense.

At ZIVVER, one of the leading secure communication companies in Europe, we work diligently with our Security Team to make sure that everybody in the organization is and will be fully aware of the security threats they face at work. Security should be completely embedded in our DNA. To help achieve this we initiate many different activities throughout the year to foster a strong culture of security awareness for the entire workforce.

So what is the best way to raise security awareness? Most organizations adopt a one-size fits all approach. They create generic flyers, presentations and even online modules to educate everybody in the organization the same basic best practices on security. This is, of course, better than doing nothing. Recipients of this approach, however, are often not very engaged with the training and unlikely to remember the key take-aways. Some might even consider these standard awareness sessions as annoying or as a mandatory, time-wasting activity.

Making security awareness part of your company’s DNA!

 

At ZIVVER we have a few guiding principles for our security awareness program:

Relevant

Know your target audience group and make sure the awareness topics/materials are tailored to their interests and needs. For example, a specific security risk for your tech team might be the installation of malicious software, where social engineering would be a more likely risk for people that work at, for example, your support desk or in your marketing team. Understand the differences in approach and required level of detail and make sure that you show everyone the specific security risks that are relevant in their daily work. 

Actionable

Discuss and highlight specific examples of what could go wrong (or has gone wrong in the past) and how to act. The ‘how to act’-part should be specific enough for every individual, so that everyone is well prepared and feels comfortable to act accordingly should a threat materialize. To achieve this, make  sure that you clearly and specifically explain the risks you have identified and why certain actions are required in this respect. Their understanding of these risks will help them to ‘spot’ these or related risks during their work, during new projects and even in their private life.  

Embed

Create a fun, repetitive program. If you do one-off events, such as an annual session, this may briefly raise general awareness, but the key take-aways would likely not be retained. Any knowledge gained would probably soon fade. It is therefore recommended to make sure to repeat the awareness actions frequently, even better to integrate them in everyday tasks. Be creative in your approach and create a repetitive program that you can roll-out during a full calendar year. Consider for example a social engineering protocol for the support desk, a brief security risk assessment in every project template or a warning when sensitive information is attached to an email. Other examples to engage people include: organizing a security quiz, storytelling (share security incidents and follow up actions within teams) and a wall of fame for those who have made contributions to improve the internal security. 

Ownership

Create a culture in your organization in which everyone shares and feels accountable for security and promoting security awareness. Make it OK to point a colleague to the clear-desk policy, to dispose of some left-behind papers with sensitive information in the shredder. Encourage people to ask the IT department for help if they receive a somewhat suspicious email. Create an environment to discuss security concerns and incidents openly. 

ZIVVER aims to instill a strong culture of security awareness for its own staff while also helping customers increase their own awareness through the use of ZIVVER’s secure email solution. ZIVVER will alert users before an email is sent if it contains sensitive information. These caution warnings reduce the likelihood of selecting the wrong recipient or sending sensitive information in an unsafe manner.

Interested in how ZIVVER can help you raise awareness during the everyday task of sending emails?
Check out our detailed information page on secure email and file sharing.

 

RELATED
Hand_dominos_traffic-light

5 top GDPR compliance challenges, and what you can do about them

If your organization is struggling to comply with data protection regulations such as the GDPR, you can take some comfort in knowing you’re definitely not alone. Some studies have shown close to half of companies in many countries are not fully compliant with their national data protection requirements. But what are the compliance challenges these companies are […]

Read more
Hand_dominos_traffic-light

5 top GDPR compliance challenges, and what you can do about them

If your organization is struggling to comply with data protection regulations such as the GDPR, you can take some comfort in knowing you’re definitely not alone. Some studies have shown close to half of companies in many countries are not fully compliant with their national data protection requirements. But what are the compliance challenges these companies are […]

Read more
EU_California_flag

General Data Protection Regulation (GDPR) vs California Consumer Privacy Act (CCPA)

In a recent blog post we explained how the California Consumer Privacy Act (CCPA) went into effect on the 1st of January, 2020, after it was signed into law in 2018. This consumer protection legislation, the most robust yet in the United States, was essentially modelled after the General Data Protection Regulation (GDPR) in the European Union, which went into effect in […]

Read more
EU_California_flag

General Data Protection Regulation (GDPR) vs California Consumer Privacy Act (CCPA)

In a recent blog post we explained how the California Consumer Privacy Act (CCPA) went into effect on the 1st of January, 2020, after it was signed into law in 2018. This consumer protection legislation, the most robust yet in the United States, was essentially modelled after the General Data Protection Regulation (GDPR) in the European Union, which went into effect in […]

Read more
Privacy Shield ZIVVER

Statement: The end of Privacy Shield doesn’t impact ZIVVER

Recently the European Union Court of Justice ruled that the Privacy Shield is no longer valid, which sent shockwaves in the industry. The Privacy Shield, which many organizations utilized for transferring data from the EU to the US, was determined to not provide enough protection of personal data.  […]

Read more
Privacy Shield ZIVVER

Statement: The end of Privacy Shield doesn’t impact ZIVVER

Recently the European Union Court of Justice ruled that the Privacy Shield is no longer valid, which sent shockwaves in the industry. The Privacy Shield, which many organizations utilized for transferring data from the EU to the US, was determined to not provide enough protection of personal data.  […]

Read more