Employee upheaval is huge when they receive the information security policy or standard, which says, for example, that everyone should change their passwords every 45 days.
At this point, officials do not think twice about warring against managers. In other words, the resistance to change is so great that the collaborators face a real duel against information security policy.
It stands to reason that companies do not talk about this in the awareness campaign or the disclosure of the information security policy and standard, but the company creates the password change rule to meet the requirements of an external audit. There are very few cases in which the organization defines this type of rule to improve safety.
But that's not the only problem. Today we have the password of internet banking, personal email, corporate, network, intranet, social network, instant messaging program, bank card, blog etc.
To further assist, the organization asks you to create a new complex password. That is, you must count uppercase and lowercase letters, numbers, and special characters.
But does this really work?
First, the developer creates such a difficult password that he will probably forget it.
Second, in order not to forget the password, the employee will write it down.
Third, the combination got so "strong" and difficult for anyone to guess that the same password will be used for everything. This means that the corporate password is also the same as personal e-mail, personal blog etc. Even the habit of using the same password was the target of a recent survey..
Fourth, the employee creates a complex password, indicated in the information security policy or standard, such as "D & nny123" password. After 45 days of using this password, the employee is forced to change it. The new password is "D & nny1234". The next password will be "D & nny12345"; and so on.
The theme is undoubtedly important in every organization. But we are talking about a cultural change.
Organizations do not make the correct use of their organizational structures to implement what is described in their information security policy and standards.
Thus, senior management believes that the IT or Information Security area is responsible for developing an awareness campaign aimed at the behavioral change of employees.
The Department of Marketing, Human Resources and even Legal must be part of the development of an awareness campaign on information security.
The Internal Audit should participate in the monitoring process to identify deviations in information security policy and standards and provide information for the continuous improvement process. That is, the IT or information security area is only one of the areas of support that without the collaboration of the other areas will not be able to reach the information security objectives.