Given the rapid shift in risks based around wireless, mobility and social media, co-opting some younger staff members onto the team can provide enlightening insights into what the risks really are. 6) Education and staff involvement Security processes need to be clear, as do the consequences of not following them. Its not sufficient to have security policies, if it is clear to staff that you arent managing them and that, actually, nothing will happen if they dont follow the correct security procedures. Education and defence training are essential and should be education , not just a list of things staff can’t do. This is an easy thing to say, but much harder in practice. It needs leadership from all staff. Given the jaded view, sometimes deservedly so, of IT security in some organisations, it is a difficult culture change to now embrace security as everyones responsibility. Training needs to reflect that. 7) Monitoring and feedback It is crucial to not only monitor, but also to be seen to be monitoring mobile security measures. High visibility and regular feedback to all staff, on both success and failure, are very important. Reinforcement across all levels means that security awareness can infiltrate the DNA of an organisation. 8) Analysis All the relevant stakeholders, need to have regular reporting of the security landscape, so they are aware of the level of threat, and the levels of risk that they have accepted. Ideally, the Board should also have a disaster plan to implement, in the case of failure. 9) Forensics After a breach, particularly for mobile devices, organisations want to understand what has happened, what the failure was and what action they can take. Forensic tools are key to success here. A post mortem with findings needs to be produced and delivered so that, assuming the breach wasnt terminal, lessons can be learned and implemented. Ian Kilpatrick is chairman of Wick Hill Group.
Share this story