An efficient awareness campaign should understand the business you are in and how colleagues behave.
Speaking at the SC Magazine Total Security Conference in London, Matt Leggett, head of information security at Best Buy Europe, parent company of the Carphone Warehouse, said that it had worked with users on tests to rank risks on how severe it is.
He said: “We ran a campaign and benchmarked users as to whether the campaign was effective or not. Fifty-one per cent said that emailing with encrypted customer or employee information in the subject line was ‘very high risk'. We also introduced lanyards for the identity pass and gave out laptop locks so the message that they take home and understand is ‘I work for a company that takes information security seriously'.”
In terms of technical controls for devices, Leggett encouraged delegates to create a matrix of devices and key areas for protection to identify gaps to address.
He also said that within his business, the executives had been driving a bring your own device (BYOD) policy for colleagues, but a risk analysis showed that employees at Best Buy Europe did not understand the risks and that most wanted access to email, calendar and contacts.
He said: “You can talk to employee communications, but go with what you feel is best. Legal need to be happy and you need to deal with HR, while representatives from employee channels should be involved too.
“To execute a good awareness campaign, get a friend with design skills as you will have much more work than you planned for. Keep the messaging simple and clear as employees do not understand jargon.”