I monitor a security mailing list, where in
a thread, it is suggested that education of employees is the best security prevention that is. This is a mindset that I agree with. The thread motivated me to look further into how to educate employees to be security conscious.
I found some articles on a forum for Chief Security officers or CSO’s.
One article is about how to get the message out to the employees, and the article suggest you lots of internal marketing and branding to keep focus on the subject. In the article is also described how the IT department crafted a fake phishing mail and send it out to all employees. The attached file, instead of installing a root kit, show a flashy and colourful warning, at the same time the IT department also collected statistics on how many people actually fell into the phishing trap.
Another article I liked is how to set up a security awareness/education programme in a corporation. The article details the methods to get the information into the heads of the employees instead of just a dusty book on the shelf. They recommend to always keep the content fresh and using a heavy dose of humour, since most people find it security boring. The article also suggest to regularly to remind people of the security policy by implementing a captive portal that requires the employees to complete a new test monthly, in order to use the network.