APPENDIX 1: SECURITY AWARENESS THEMES

Each month, consider focusing on a subject suitable for the time of the year and harnessing your information security endeavours to that. It helps to keep the subject at the forefront of everyone’s considerations and ensures that you are baking information security into the DNA of your organisation, embedding it into best practice and slowly, but surely, changing the culture for the better.

Always use whatever news stories have appeared during the month. There is no shortage of these, day in and day out, that should be crossing your desk as the ISM, but they may not be crossing the mind’s eye of the average user. In fact, there are many stories that appear in the news that are not deliberately presented to the public by the media as being an information security-related story. But you can ‘find’ the security element – be it a personnel issue, a physical security issue, a technical security issue or an information-specific security issue. Let your creative juices flow!

However trite these suggestions may seem, the user population will have some appreciation for the mix of irony and humour and at least will see that there is a theme and a messaging effort going on.

Security awareness theme – January

This month’s information security theme could pick up on the fact that January is usually a time for New Year’s resolutions. For example, ‘So what’s yours …? Ours is to always update our anti-virus …’ or ‘New Year, New attitude … let’s lock down those devices!’

Security awareness theme – February

This month’s information security theme could pick up on the fact that the media focus is usually, at least for the first two weeks of February, related to Valentine’s Day, so there’s a ‘love’ element. You could run a campaign entitled ‘Love your laptop’, where users are encouraged to ensure that they have connected to the network, updated the patches and anti-virus status, run a back-up, cleaned out the cookies and Internet history, etc.

Security awareness theme – March

This month’s information security theme could pick up on any subject of your choice. In this particular example and experience from the chapter, tackling anti-virus best practice would be the obvious choice! As long as you encourage the users to ensure that they update their own anti-virus product on their home machines, they will appreciate, from the tip of the iceberg, the scale of the effort you will be applying across your whole organisation when it comes to protection mechanisms.

Security awareness theme – April

This month’s information security theme should usually be focusing on Easter, as it arises at this time. You could run a campaign whereby you leave chocolates (mini eggs, for example, to keep in theme!) on the desks of those users who are adhering to your clear-desk policy.

Security awareness theme – May

Being a Eurovision lover myself, my May theme usually builds up to something related to this European song festival! Given the multicultural world in which we live and the level of diversity we see all around us, this might work in your organisation, too. You could provide a country identity (league of nations style) for each department/team/directorate and build in some level of competition between them in terms of the best clear-desk policy adherence group; the most secure (fewest incidents experienced) team at the end of the month; or the least frequent users of the help desk. Then remember to present some kind of ‘award’ at the end. A box of chocolates usually goes a long way!

Security awareness theme – June

Start considering messaging around a holiday theme. Users go away for their two-week break from June onwards and they return revived and refreshed, but having wiped clean their mind of all things to do with work. They’ve ‘lost’ the synapse that contains their password, too. If the 90-day password reset occurs whilst they are away, and they miss it, that’s even worse! Remember to prepare your help desk for an increase in reset calls in the coming months, too.

Security awareness theme – July

Summer months will be an ideal time to focus on removable media device (RMD) security. There is a great concern, with the number of people commuting and travelling and the increased numbers of people in general, that there will be a resultant increase in loss of removable media devices. Make sure your message theme shares best practice on securing all devices when away from the usual workplace.

Security awareness theme – August

Follow up your July theme on RMD with a message theme on home/remote working itself, from airports (and using wireless networks) to hotels. Combine this with encouraging a heightened awareness of physical security issues too, relevant to your user base and their information assets.

Security awareness theme – October

This month’s information security theme could pick up on the fact October ends with Halloween, a yearly holiday celebrated around the world. Given the volume of malware, spyware and spooky tales to tell in the world of security, there’s enough to hang your ISM hat on, if you are creative enough!

Security awareness theme – November

This month’s information security theme could pick up on the fact that November contains Bonfire Night, very quickly after Halloween. Utilising the ‘Remember, remember the fifth of November’ mantra, you can play on that and deliver messages around ‘Remember, remember … your removable media devices!’ or ‘Remember, remember … to clear your desk before you leave every day!’ Or take it up a notch and go for a fireworks-related theme.

Security awareness theme – December

This month’s information security theme should definitely pick up on Christmas – from the aspect of gift giving and not to cause any religious offence. Picking up on the well-used phrase ‘A dog is for life, not just for Christmas’ you could pick any element of best-practice information security and the same would apply. ‘Back-up is for life, not just for Christmas’ perhaps?