Mon, Jul
4 New Articles

Why Your Business Needs a Security Awareness Program

Security - Other
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Do you have a formal plan for educating employees about ongoing IBM i and IT security threats?

This article is excerpted from IBM i Security Administration and Compliance: Second Edition, chapter 20.

A security awareness program is an official or recognized project, typically under the “jurisdiction” of the Chief Security Officer (CSO), that is created for the purpose of educating individuals such as the organization’s employees, contractors, vendors, and volunteers about the organization’s security policies. The education should explain how the policies relate to each individual, and it should be performed on an ongoing basis.

A security awareness program is a requirement of many laws and regulations. But, beyond that, it simply makes good business sense to develop a security awareness program. By training your organization, you are mobilizing your entire workforce to help fight the security compliance battle and help you wage the war against inappropriate use of data.

Security awareness training typically starts the day an employee is hired, a contractor begins a project, or a volunteer starts. This is when the employee portion of your organization’s security policy is explained and the person is required to read and sign it, acknowledging that he or she understands its contents and meaning. Although many organizations take advantage of this initial opportunity, that’s often where the security awareness training stops. Everyone in the organization needs to develop a security “lifestyle.” To ensure that this happens, security awareness training should take place on a regular basis, so that people receive periodic reminders of the organization’s security requirements. They should also receive the appropriate training if they change positions and the requirements of the new position differ from the previous one.

Another reason for ongoing education is because new threats arise, and new technology is developed. For example, when you first started working with email, did you have to worry about users downloading and subsequently leaving unencrypted confidential or private information on their mobile devices? Did you have to concern yourself with whether people were blogging during work hours or inappropriately posting statements as representatives of the organization? Without an ongoing security awareness program, you have no effective way of communicating the requirements of new or updated policies.

Another reason for periodic education is to update those in the organization about new or changed laws or regulations that affect the organization. For example, California expanded its breach notification law to include the loss of email addresses if the data lost also contains the answers to the security questions that are asked when someone loses their password. Privacy laws in Europe are becoming more restrictive in regard to the use of peoples’ private data, how long it can be retained, and the purpose of retaining the data. The expansion of laws and regulations may be known to your compliance team, but unless the rest of the organization is educated, it’s very easy for an organization to unknowingly be out of compliance. Educating your workforce is key in helping detect fraud and other situations that can damage or otherwise put your organization out of compliance.

What Method Do I Use to Communicate?

Because we don’t all learn in the same way, your security awareness program should include all types of learning. Giving security awareness training and tips using audio, graphics, and text will provide opportunities for everyone to absorb the information.

I’ve seen some of our clients use posters to communicate a “security slogan” of the month. The posters are often of high quality, featuring professional-looking images that capture the eye and draw you into the message. Other clients have used a lighter approach; their posters feature a cartoon conveying the message of the month through humor. In both cases, the companies obviously know their “audience” and the type of messaging their workforce responds to. Because messages get stale and people start to ignore them, most organizations change their security message about once a month.

For the technology learner, you can have short YouTube videos that illustrate the security tip or message. This method works well in the high-tech industry and any organization that hires Millennials. For more “traditional” or staid organizations, provide material for managers to present at their next department or team meeting.

As for the folks who read everything that comes their way, you can send out a monthly newsletter. Another approach is to change the network or IBM i sign-on screen to reflect the current month’s security emphasis.

Finally, it’s a good practice to have each employee annually review and re-sign the employee security policy. To accomplish this, some organizations use a secure website on their intranet where employees can read the policy and then digitally sign to indicate that the policy was reviewed. I’ve also seen organizations require management to present the policy to each employee individually or to the entire department during an in-person or online department meeting. Regardless of the method, I highly recommend that you obtain some type of proof indicating that employees received the education and understand the updates and new requirements.

Getting Started with Security Awareness

If you need help getting your security awareness program started, look to the Internet for help. There are companies that provide security awareness training packages—videos, posters, newsletters, monthly security themes, and so on. In addition, organizations that focus on training for security professionals often have online security awareness training courses that you can buy. Both provide good places to start.

Whether you use one of these resources or create your own program, I encourage you to make your training “real.” Provide scenarios that are meaningful to your organization, so that the workforce can more easily relate to the concepts being explained. In addition, make sure you provide the right training for your audience. Talking about data classification and proper disposal of media containing private data will make the manufacturing worker’s eyes glaze over! However, such employees do need to understand that the proper use of social media—that is, whether they can post comments about the company, watch YouTube videos or play online games during work hours, and so on.

In addition to addressing topics that the entire organization will benefit from, it’s important not to ignore the education aspects that should be targeted to a specific audience. For example, I believe it’s vital to educate programmers and developers about the current and upcoming laws and regulations that affect your organization’s data. Engaging these individuals as soon as you’re aware of a new compliance requirement lets them better plan for application changes. In addition, if you see trends—such as the potential for healthcare information to be encrypted—you should warn them that this requirement might be coming. When equipped with this type of information, your programmers and developers can design their architecture to accommodate the requirement should it become law. In addition, engaging them early has the potential to make them feel as if they are part of the information security team rather than having requirements foisted upon them without any input or warning. Most programmers have no interest in security—they feel it’s an impediment to getting their work done. So the sooner you can engage them, the more successful the project will be.

Carol Woodbury


Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.

Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.

MC Press books written by Carol Woodbury available now on the MC Press Bookstore.

IBM i Security Administration and Compliance: Third Edition
Don't miss the newest edition by the industry’s #1 IBM i security expert.
List Price $71.95

Now On Sale

Mastering IBM i Security Mastering IBM i Security
Get the must-have guide by the industry’s #1 security authority.
List Price $49.95

Now On Sale



Support MC Press Online


Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: