When deploying a bespoke information security awareness campaign, the ultimate aim is to build a mindset in which employees come to respect and protect the information they work with. To achieve this, it’s imperative that employees fully understand the value of that information.
Failing to understand the value of information is a major cause of information security breaches. For example, it’s the reason why sensitive information ends up in wastepaper baskets or recycling boxes, which subsequently exposes it to ‘dumpster diving’ – the practice of scouring company bins for useful competitor intelligence.
Failing to understand the value of information has led to some of the high profile ‘laptop left on a train’ incidents, where employees are walking around with sensitive information on their hard drives that hasn’t been encrypted for transport.
Failing to understand the value of information can even cause employees to talk themselves into doing things they’ve already been told is bad practice, such as connecting to an unsecure hotel wi-fi to check email. We’ve all been tempted to do it because of the convenience. What stops us is knowing how valuable the emails coming in and out are – all of which can be intercepted on an unsecure wireless connection.
The value of information is best communicated through a clear information classification scheme. For example, let’s use the traditional labels of ‘public’, ‘internal’ and ‘confidential’ information. One of the most effective methods of communicating value is to consider all of the information types within your organisation and categorise them under these headings. Turn that into a clear communication that allows employees to see exactly which information types should be considered under which classification. There are also some engaging and fun ways to embed this in your employees’ minds.
Make classification mandatory
Making classification of all documents mandatory also helps to embed this consideration of value. A classification must be assigned to every new piece of information that employees generate. Similarly, every piece of information they receive must be immediately checked for its classification. If a piece of information is passed on without a classification, then the practice of sending it back to the originator for classification will eventually cause this handling procedure to become second nature.