Information security awareness mantras from the Apeejay campaign
By Dhwani Pandya, Principal Correspondent
05 Feb 2010 | searchSecurity.in
A company can have the best information security architecture, but if
user awareness does not complement it, then all these efforts are
wasted. With this goal in mind, the Apeejay Surrendra group started its
security awareness training sessions for close to 43,000 employees
through a highly interactive campaign in 2009.
The Apeejay Surrendra group, a large privately-owned family business, will be completing 100 years in 2010. It has diversified business interests in tea, hospitality, shipping, real estate, retail, logistics and insurance services. The group has branch offices across metros with its head office at Kolkata.
Apeejay uses robust and scalable IT infrastructure for managing its IT security. It uses Cisco ASA and PIX for two-layer firewall protection. This is supplemented by a Trend Micro solution for virus and malware protection, spam and URL filtering, and other Web security aspects. "Despite such a robust IT setup, we faced information security threats at Apeejay. However, these were primarily from internal users due to lack of awareness about information security and their corresponding roles and responsibiliti
The Apeejay Surrendra group, a large privately-owned family business, will be completing 100 years in 2010. It has diversified business interests in tea, hospitality, shipping, real estate, retail, logistics and insurance services. The group has branch offices across metros with its head office at Kolkata.
Apeejay uses robust and scalable IT infrastructure for managing its IT security. It uses Cisco ASA and PIX for two-layer firewall protection. This is supplemented by a Trend Micro solution for virus and malware protection, spam and URL filtering, and other Web security aspects. "Despite such a robust IT setup, we faced information security threats at Apeejay. However, these were primarily from internal users due to lack of awareness about information security and their corresponding roles and responsibiliti
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By joining searchSecurity.in you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
TechTarget cares about your privacy. Read our Privacy Policy
es," says Subhashish Saha, the
group CTO of Apeejay Surrendra. In a particular incident at one of the
group companies, an employee was found leaving important business proposal document open. Following this, a survey by the IT team (in 2009) revealed that security awareness was very low among employees across
the group. The group has to manage close to 43,000 employees across
offices and tea gardens.
Like several other organizations, Apeejay was earlier flexible in implementing desktop security such as controls on peripheral devices, file/folder sharing, printer output management and management of physical papers (and files). The CTO realized that no amount of IT tools could train users to shred unwanted printed material, secure their physical files and folders, or not use a password such as 'Welcome' or 'Apeejay'. "Hence I decided that the only way to protect us from information security threats was to make people aware of the need to take care of their own soft and hard information," explains Saha.
Apeejay decided to address this challenge with a well-defined and planned program for increasing information security awareness across group companies. Some of the primary objectives of this campaign were to explain information security using easy to understand language, with practical examples of current practices followed, to build an information security community having participation from each of the group companies, and to further the cause of information security awareness in the long-term.
PCS was called in as the security consultant to help Apeejay design the information security campaign. PCS was responsible to create and manage the distribution of theme-based screen savers and wallpapers for a period of six months. Another reason to involve a security consultant was to bring in an outsider perspective and get professional help for IT security audits, Saha explains.
Apeejay dedicated a week (August 3-7, 2009), for focused programs on information security awareness. During this week, the company organized group-wide awareness workshops, quiz programs, slogan contests, the sharing of ideas and feedback, and sponsored contests. The content and schedule of the information security campaign was designed by Joy Bagish, senior IT infrastructure manager who also looks after IT security. The corporate communications and HR departments were involved in communicating and organizing seminars across group companies.
PCS also conducted key sessions during the information security week,
and presented a few recommendations after IT security audits; these
were subsequently implemented. Apeejay made sure that the complete
program was designed to be participative, and that most of the content
came from the users themselves. During the information security
awareness week, Apeejay organized contests for both participation and
best content. Giving an example, Saha says that the user who created
the best poster got an award. He says that 65% of the employee
population participated in the quiz, and that it was conducted
nationally using their inhouse-developed intranet platform. There were
108 nominations for the slogan contest. On the last day of the week,
Apeejay received about 50 suggestions on how an individual user could
take care of his security issues. "It was quite an involved program,
even the seminars — which are normally not received well — also had 40%
of the user population present with several questions and answers,"
says Saha.
The information security awareness campaign's total cost, which included sponsorship from hardware vendors and OEMs, came to about Rs 1,00,000. According to Saha, the security awareness campaign has been really effective in increasing enthusiasm and involvement from the user community. "The program has helped to make our colleagues understand that information security starts with the individual, and cannot be driven only by the IT department," says Saha.
In order to keep up the momentum, Apeejay organized several subsequent security awareness training camps where information security issues have been handled at the individual level. "During January 2010, we organized an online quiz to check the level of improvement, and felt that information security awareness needs to be pushed as a continuous engagement process," concludes Saha.
 |
||||
|
|
|||
|
||||
Like several other organizations, Apeejay was earlier flexible in implementing desktop security such as controls on peripheral devices, file/folder sharing, printer output management and management of physical papers (and files). The CTO realized that no amount of IT tools could train users to shred unwanted printed material, secure their physical files and folders, or not use a password such as 'Welcome' or 'Apeejay'. "Hence I decided that the only way to protect us from information security threats was to make people aware of the need to take care of their own soft and hard information," explains Saha.
Apeejay decided to address this challenge with a well-defined and planned program for increasing information security awareness across group companies. Some of the primary objectives of this campaign were to explain information security using easy to understand language, with practical examples of current practices followed, to build an information security community having participation from each of the group companies, and to further the cause of information security awareness in the long-term.
PCS was called in as the security consultant to help Apeejay design the information security campaign. PCS was responsible to create and manage the distribution of theme-based screen savers and wallpapers for a period of six months. Another reason to involve a security consultant was to bring in an outsider perspective and get professional help for IT security audits, Saha explains.
Apeejay dedicated a week (August 3-7, 2009), for focused programs on information security awareness. During this week, the company organized group-wide awareness workshops, quiz programs, slogan contests, the sharing of ideas and feedback, and sponsored contests. The content and schedule of the information security campaign was designed by Joy Bagish, senior IT infrastructure manager who also looks after IT security. The corporate communications and HR departments were involved in communicating and organizing seminars across group companies.
|  | ||||||||||||||||
| |||||||||||||||||
The information security awareness campaign's total cost, which included sponsorship from hardware vendors and OEMs, came to about Rs 1,00,000. According to Saha, the security awareness campaign has been really effective in increasing enthusiasm and involvement from the user community. "The program has helped to make our colleagues understand that information security starts with the individual, and cannot be driven only by the IT department," says Saha.
In order to keep up the momentum, Apeejay organized several subsequent security awareness training camps where information security issues have been handled at the individual level. "During January 2010, we organized an online quiz to check the level of improvement, and felt that information security awareness needs to be pushed as a continuous engagement process," concludes Saha.