You don't have to spend a lot of money on some information security initiatives. Take security awareness, for example. You can get huge returns with small investments.
Sure, you can spend big bucks on packaged awareness programs and learning management platforms that can help you deploy and manage your training efforts and then report on compliance. Like most of you, though, I have a limited budget, and I'd rather devote it to things we desperately need but can't get on the cheap, like modernization of our security event monitoring, advanced malware detection and intrusion prevention.
With security awareness, my two main goals are to satisfy compliance requirements and to change behavior.
Regarding the first goal, my focus right now is attaining PCI compliance. Even though we don't currently meet the transaction thresholds that would mandate that we be PCI-compliant, it's good for business. Many of our customers expect it of us. The PCI framework provides clear guidance regarding security awareness, for both end users and developers, who need to be trained in application security development.
As for the second goal, I believe that the proper amount of awareness training will lead employees to pause before doing things that could put our company, our customer's data or themselves at risk. If my training program keeps just one person from clicking an evil link, sharing sensitive data on Dropbox or using a compromised Internet kiosk, it will be worth the effort.
And certainly worth the cost, since much of what I'm doing only costs my time. For example, I'm writing and emailing quarterly security reminders. That might not be worth my time if this were a huge enterprise, with multiple corporate communications assailing employees every week. But we're small enough that that isn't a problem, and besides, a subject heading like "SECURITY ALERT" grabs attention better than "Company Press Release."
In my most recent email reminder, I explained about phishing attacks: how to spot them, what to do if you detect one and, most importantly, what to do if you click on a questionable link or attachment. Awareness about such things is of paramount importance, since we haven't deployed any advanced malware-detection capabilities and our IT department isn't focused on monitoring the network for malware. We need to do all we can to keep the malware out, and employees are the first line of defense there. That email also discussed best practices related to identity theft.
My next reminder, which will go out within the next couple of months, will look at mobile device security. Here again this is an inexpensive way to address something that we don't have the budget to take on directly, since we have yet to deploy a robust mobile device management tool and are currently relying solely on protections that Microsoft Exchange offers for employees who synchronize their phones through Active Sync.
Sign up for CIO Asia eNewsletters.