 |
|
|
| Information Security News: |
|
|
|
|
|
|
|
|
Information security awareness mantras from the Apeejay campaign |
 |
By Dhwani Pandya, Principal Correspondent
05 Feb 2010 | SearchSecurity.in |
|
|
A company can have the best information security architecture, but if
user awareness does not complement it, then all these efforts are
wasted. With this goal in mind, the Apeejay Surrendra group started its
security awareness training sessions for close to 43,000 employees
through a highly interactive campaign in 2009.
The Apeejay Surrendra group, a large privately-owned family business,
will be completing 100 years in 2010. It has diversified business
interests in tea, hospitality, shipping, real estate, retail, logistics
and insurance services. The group has branch offices across metros with
its head office at Kolkata.
Apeejay uses robust and scalable IT infrastructure for managing its IT
security. It uses Cisco ASA and PIX for two-layer firewall protection.
This is supplemented by a Trend Micro solution for virus and malware
protection, spam and URL filtering, and other Web security aspects.
"Despite such a robust IT setup, we faced information security threats
at Apeejay. However, these were primarily from internal
users due to lack of awareness about information security and their
corresponding roles and responsibilities," says Subhashish Saha, the
group CTO of Apeejay Surrendra. In a particular incident at one of the
group companies, an employee was found leaving important business proposal document open. Following this, a survey by the IT team (in 2009) revealed that security awareness was very low among employees across
the group. The group has to manage close to 43,000 employees across
offices and tea gardens.
Like several other organizations, Apeejay was earlier flexible in
implementing desktop security such as controls on peripheral devices,
file/folder sharing, printer output management and management of
physical papers (and files). The CTO realized that no amount of IT
tools could train users to shred unwanted printed material, secure
their physical files and folders, or not use
a password such as 'Welcome' or 'Apeejay'. "Hence I decided that
the only way to protect us from information security threats was to
make people aware of the need to take care of their own soft and hard
information," explains Saha.
Apeejay decided to address this challenge with a well-defined and
planned program
for increasing information security awareness across group
companies. Some of the primary objectives of this campaign were to
explain information security using easy to understand language, with
practical examples of current practices followed, to build an
information security community having participation from each of the
group companies, and to further the cause of information security
awareness in the long-term.
PCS was called in as the security consultant to help Apeejay design the
information security campaign. PCS was responsible to create and manage
the distribution of theme-based screen savers and wallpapers for a
period of six months. Another reason to involve a security consultant
was to bring in an outsider perspective and get professional help for
IT security audits, Saha explains.
Apeejay dedicated a week (August 3-7, 2009), for focused programs on
information security awareness. During this week, the company organized
group-wide awareness workshops, quiz programs, slogan contests, the
sharing of ideas and feedback, and sponsored contests. The content and
schedule of the information security campaign was designed by Joy
Bagish, senior IT infrastructure manager who also looks after IT
security. The corporate communications and HR departments were involved
in communicating and organizing seminars across group companies.
|
|
|
|
|
The program has helped to make our colleagues understand that information security starts with the individual, and cannot be driven only by the IT department.
Subhashish Saha
Group CTO, Apeejay Surrendra
|
|
|
|
|
|
|
|
|
|
PCS also conducted key sessions during the information security week,
and presented a few recommendations after IT security audits; these
were subsequently implemented. Apeejay made sure that the complete
program was designed to be participative, and that most of the content
came from the users themselves. During the information security
awareness week, Apeejay organized contests for both participation and
best content. Giving an example, Saha says that the user who created
the best poster got an award. He says that 65% of the employee
population participated in the quiz, and that it was conducted
nationally using their inhouse-developed intranet platform. There were
108 nominations for the slogan contest. On the last day of the week,
Apeejay received about 50 suggestions on how an individual user could
take care of his security issues. "It was quite an involved program,
even the seminars — which are normally not received well — also had 40%
of the user population present with several questions and answers,"
says Saha.
The information security awareness campaign's total cost, which
included sponsorship from hardware vendors and OEMs, came to about Rs
1,00,000. According to Saha, the security awareness campaign has been
really effective in increasing enthusiasm and involvement from the user
community. "The program has helped to make our colleagues understand
that information security starts with the individual, and cannot be
driven only by the IT department," says Saha.
In order to keep up the momentum, Apeejay organized several subsequent
security awareness training camps where information security issues
have been handled at the individual level. "During January 2010, we
organized an online quiz to check the level of improvement, and felt
that information security awareness needs to be pushed as a continuous
engagement process," concludes Saha.
|
|
|
|
|
|
|
| TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of . |
|
| |
All Rights Reserved, , TechTarget |
|
|
|
|
|
