The damage done by identity theft doesn't stop with the victim. It has become a major business concern. Current and proposed legislation mandates disclosure of database compromises — in some cases, even suspected compromises — to affected customers, vendors, and employees. It might stem from an accidental disclosure, network intrusion, internal malfeasance, or a stolen laptop. Whatever the cause, you need a plan to help avert — or at least contain — the potentially ruinous consequences of database compromise for your business.

Awareness expectations are changing

Employee security awareness has always been a complex and controversial issue. While most organizations agree that employees play a key role in any information security program, few can agree on how best to achieve awareness, what awareness actually means, and whether it’s even worth the effort or investment.

But there is one unique element that makes security awareness different from every other security solution. Security awareness is the only security solution that doesn’t have to work in order to be effective.

There’s no regulation, law, or customer expectation that requires security awareness to be effective because true security awareness cannot be achieved or measured. True security awareness means permanently changing the behavior of all or most employees so they stop doing the wrong thing and almost always make the right decisions. Such a goal is impossible to achieve.

However, organizations of all sizes can significantly immunize themselves from legal and brand impact if they can demonstrate that they took all reasonable measures to ensure constant security education and awareness efforts.

With a comprehensive awareness program, you can win both battles. You can significantly and demonstrably improve employee security awareness with little effort or cost. And you can clearly demonstrate and document that your organization has gone “above and beyond” what can be reasonably expected to make your employees as secure as they can possibly be.