An efficient awareness campaign should understand the business you are in and how colleagues behave.
Speaking at the SC Magazine Total Security Conference in London, Matt Leggett, head of information security at Best Buy Europe, parent of the Carphone Warehouse, said that it had worked with users on tests to rank risks on how severe a risk is.
He said: “We ran a campaign and benchmark users as to whether the campaign is effective or not. 51 per cent said that emailing with encrypted customer or employee information in the subject line was ‘very high risk'. We also introduced lanyards for the identity pass and gave out laptop locks so the message that they take home and understand is ‘I work for a company that takes information security seriously'.â€
In terms of technical controls for devices, Leggett encouraged delegates to create a matrix of devices and key areas for protection to identify gaps to address.
He also said that within his business, the executives had been driving a bring your own device (BYOD) policy for colleagues, but a risk analysis showed that employees at Best Buy Europe did not understand the risks about this, and that most wanted access to email, their calendar and contacts.
He said: “You can talk to employee communications, but go with what you feel is best. Legal need to be happy and you need to deal with HR, while representatives from employee channels should be involved too.
“To execute a good awareness campaign, get a friend with design skills as you will have much more work than you planned for. Keep the messaging simple and clear as employees do not understand jargon.â€
