We are all on the receiving end of the rapid changes that have taken place in technology over the last two decades. These have influenced the way we communicate, how we find information and conduct research, where we store our data, and our social networking activities. Many of these technological advances have also had an impact on businesses enabling, for example, a more flexible and mobile workforce. Wireless computing is now the norm and the ever-increasing bandwidth on our broadband connections is making fixed office computing a less attractive proposition.
Equally, the myriad of small digital devices that incorporate e-mail, voice, business applications and our personal data have influenced where and how we choose to work. As we leave behind the information age and embrace the connected age we have come to expect freedom of choice in every aspect of our lives especially with regard to the way we use current technologies; hence the boundaries between our personal and working lives are disappearing.
It is not surprising then that organisations are quick to take advantage of this ubiquitous technology, and just as quickly they also experience some of the difficulties this brings, for instance, the threat of data leakage and reputational damage. As a consequence, addressing risk has become a full-time activity. Many may argue the ‘fight fire with fire’ approach is the easiest way to deal with information security risk by adopting the best-of-breed technology to overcome the issues that technology has enabled. The alternative approach, which is less controlling, is to educate employees in good working practice, making them aware of the risks and engendering corporate working. Neither approach is a cheap solution, but the former solution may, to some, be more attractive, not least because it is likely to be quicker.
David Lacey in his book Managing the Human Factor in Information Security1 endorses the educational approach to information security, believing that empowering and trusting employees, through good educational practices and advice specific to their needs, is the best solution to address information security risk. In particular he emphasises the need for Information Security Awareness to be an ongoing activity. This pocket guide supports this approach and puts forward the case for an organisation-wide, and fully supported, IT Induction and Information Security Awareness Programme that aims to start this educational process. In particular it will provide clarity of purpose, equate the programme to organisational roles, and offer practical assistance in the development and delivery of an IT Induction programme.