To illustrate this idea further, here are a few examples of techniques malicious hackers use:

• Hackers use social media to gather information and identify key IT people or executives, then send customized emails to these targeted individuals. When the individuals open the emails, they unknowingly download hidden malware, which retrieves and sends passwords or other sensitive data to the sender. The hacker then uses the passwords to access confidential information.
• Criminals pose as professional-looking IT service technicians. They present business cards and wear shirts with the logo of a vendor company. The goal is to obtain access to a server room or other PC equipment and attach inconspicuous devices to intercept data and transmit that data out to a criminal group.
• Attack botnets (automated malicious large scale armies of PCs) are developed at no cost to criminals because they use the computing and network capacity of unsuspecting individual PCs connected to the Internet without adequate security features. This can be a particular problem for companies whose associates use their home PCs to download business information while working remotely.

In other words, even with the best security technologies in place, criminals can find a way to access, alter or destroy data by exploiting human behavior, so security awareness continues to be one of the most effective and essential elements in the security toolkit.

Who is the right audience for data security awareness training? According to the U.S. National Institute of Standards and Technology (NIST), security awareness should be directed to all computer users with the purpose of changing behavior and reinforcing good security practices.

The first step in designing an effective awareness program is to determine what types of information or IT infrastructure need to be protected. Key messages should be aligned and oriented on the types of information that are important to safeguard. There has been an emphasis on credit card data in the past few years, which is critical in the hospitality industry. But other types of information needs consideration as well. Employee information is often overlooked, but hackers target it because it typically contains social security numbers and bank account numbers used for payroll deposits and expense reimbursements. Marketing information such as loyalty member contact details including phone numbers and email addresses can find their way into a competitor’s hands. Finally, if accounting or financial records and files are lost, damaged or altered, the consequences may disrupt or hinder critical business activities or lead to financial fraud schemes.

The next step for a security awareness program is to consider communication delivery methods. Posting a 45-page security policy manual on the company intranet may be necessary, but it does not qualify as a security awareness program. The way we learn a second language, memorize lyrics to a song, or develop any new habit is with repetition. And for security awareness, repetition of key messages communicated in different ways will drive and influence behavior. Think of security awareness as an internal marketing campaign and tap into your marketing team for the best techniques for your work culture.

This might include items typically used as giveaways in tradeshows (key fobs, notepads, clocks, pens) that are imprinted with a security phrase or tagline, or posters that are fun and clever. Other ideas are to produce short videos by the employees or provide lunch-and-learn sessions with guest speakers.

The hospitality industry is known for its teamwork culture, and that culture can pay off in planning and implementing security awareness. Whether your goal is to develop a new program or review an existing process, teamwork can ultimately overcome these common pitfalls or barriers:

• Insufficient funding
• Limited or inadequate communication of awareness messages
• Lack of participation or support by senior executives or leaders
• Absence of auditing or reported metrics

The best ideas often come from within, so tap into the IT security staff, whose subject matter expertise can help identify the behaviors that need to be reinforced or changed, and ask your marketing team for creative ways to effectively reinforce security awareness messaging. Partner with your HR department to learn what has worked best in other types of awareness programs and gain practical logistics such as measuring participation. Legal or internal audit can identify compliance requirements that should be included in the program, and inputs and evaluations from a cross-section of users will catch any aspects of the security messaging that are not clear or do not seem relevant.

Make it a top priority to develop or improve your security awareness program in order to realize the benefits of investments made in security technology. And remember: Repetition of key messages communicated in different ways will drive and influence behavior.

Lynn Goodendorf is vice president of data privacy services at VerSprite, which provides consulting services in information security and privacy. She can be contacted at lgoodendorf@versprite.com.

©2013 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.