What’s different about information security in the business as opposed to other aspects of your organization’s operation is that security becomes the responsibility of every single person. From the very top of your business, down to the very bottom, every single person has access to information that could be misused or abused if it got into the wrong hands.
Board members may well support what the information security management team is trying to accomplish, but sometimes can get ahead of themselves when it comes to getting the job done or their strategy executed. Top-level executives are often the first people to cut corners to get a result, simply because they believe they should be able to do so. Often it can be this attitude that leads to a gargantuan security breach and unfortunately it will be the information security team that takes the rap.
At the bottom end of the business, cleaners, facilities staff, and mailroom workers actually have more access to rooms and information than many of the mid- and senior-level staff; therefore, they need to be aware of the risk and attacks that could be mounted on them or their colleagues. Using social engineering techniques, an attacker will most likely pick on a target they believe vulnerable to suggestion, which oftentimes will be found in the lower paid ranks of the organization.
For this reason, you should always be seeking to encourage a culture of security throughout your entire business to ensure that all members of staff have security in their mind at all times. When they see something that looks or feels wrong or they encounter some behavior that is out of the ordinary or suspicious, instead of following the natural human trait of ignoring it, they should be encouraged, even rewarded, for questioning and reporting it. At all levels, the workforce needs to be reminded that it’s OK to say no or ask a supervisor rather than risk a security breach.