Raising awareness of surveillance risks

We have just uploaded the latest awareness module on surveillance for our subscribers.  As you’ll appreciate from the word cloud, this is fascinating topic, something we hope will really catch workers' imaginations and so get them thinking and chatting (an awareness win!).

Our two main areas of focus in the new module are: 

(1) Surveillance of various kinds conducted by the organization (e.g. CCTV coverage of public and controlled areas, network traffic monitoring, system security and audit logs, spam and malware scanning); and 

(2) Surveillance conducted on the organization and its workers by various third parties (e.g. compliance monitoring by various authorities, and industrial espionage or spying by competitors). With some exceptions, the former is authorized by management for legitimate business purposes, while the latter can be sinister (e.g. Big Brother and industrial espionage).

The tools and techniques to mitigate the risks include counter-surveillance and compliance activities: for example, being vigilant for potentially hostile or illegal surveillance and hopefully reporting them so they can be assessed and something can be done, if appropriate.  

That's a classic example of effective security awareness leading to changes in behavior, by the way. Simply being vigilant is not sufficient if workers' suspicions lead nowhere: they need to react and respond to risky situations.  

It's not enough to know smoking is unhealthy. Smokers need to kick the habit.

Aside from the written materials and poster images, here are a few more ideas to raise awareness on this topic, taken from the train-the-trainer guide in the module:

• Hold “Spy-day-Fri-day” with prizes for the best-dressed spies and spooks and the best decorated offices.
• Liaise with the IT professionals who manage various monitoring, scanning, logging, alerting and other surveillance systems, to find out what they do, and the kinds of issues they are handling. Examine the business value of the investment in technology and people. Ask them for tips concerning surveillance to pass on to workers (but avoid being too Big Brother about it!). 
• Persuade outgoing, charismatic surveillance experts to get actively involved in the awareness program this month e.g. attending and/or presenting at your seminars, workshops etc. Brief them on the objectives of the security awareness program and (with their agreement) incorporate their inputs, especially any interesting anecdotes or challenges they are facing. 
• Organize a risk workshop with representation from Site/Physical Security, Facilities, Compliance, HR, IT, Risk Management etc. to discuss the risks and controls in this domain.

What are you doing to make your awareness program more engaging?  What works best in your organization?