Another time investment is to take part in our monthly new-hire orientation. I created a set of PowerPoint slides and got HR to give me a 45-minute slot, including 15 minutes to answer questions. The PowerPoint slides are on topics such as avoiding untrusted resources like Internet kiosks and Wi-Fi hotspots, data protection, encryption, passwords, social engineering and physical security (a few of our laptops have gone missing lately). If all goes well, I'll convert those slides into a recording and use them in the yearly training requirement for all employees.
We'll spend a little bit of money on posters, but they don't necessarily have to be created on poster stock, and several free awareness posters can be found with a Google search. And in our case, with just four main offices, distributing and hanging posters in the restrooms and common areas is a cinch. I'll be choosing my first set of posters and pinning them up within the next couple of weeks.
In another tactic similar to putting up posters, I'll be rolling out screensavers that hammer home security messages. It's a little more complicated than hanging posters, of course, and we'll have to do some testing and get IT resources to deploy the screensavers to all of the PCs on our domain using Microsoft Active Directory Group Policy.
The only real money I'll have to spend will be on developer training. We need all of them to be trained on the OWASP Top 10 at a minimum. To ensure quality instruction, I want to purchase some training materials.
The last thing in my current awareness push is to look at a service that can assess the effectiveness of our awareness program by sending out phishing emails to employees and measuring their responses.
Sign up for CIO Asia eNewsletters.