Apart from those whose job it is to secure company information, does any one else care? After all, it's the Information Security department's responsibility to safeguard company information, right?

WRONG! That's like thinking you don't have to put your own litter in the trash because the garbage collector will do it for you. Effective information security can't happen without help from every employee, contractor, consultant, vendor and strategic partner. The company can't guarantee information security unless everyone contributes to the cause.

Information security departments are akin to the police -- they provide policies, services and guidelines that govern how you protect company information. But they can't be there to protect you in every situation.

Sure, the IS department maintains high-tech monitoring equipment and secures the firewall. But think about the information security breaches that occur outside the company fortress. A laptop computer containing essential trade secrets getting stolen at the airport, a hacker getting into the system via an easily cracked password, or an office computer carelessly left connected to the network for anyone to come along and use. Consider, too, the threats that don't even involve technology -- information innocently given out over the phone, an overheard elevator conversation and overflowing in-boxes just waiting to be searched.

Who do you think is on the front line in these cases?
Hint: It's not the IS department!

To compound things, disgruntled employees (both former and current), clever hackers, snooping competitors and evil virus creators worked overtime to infiltrate information security systems in 1997.

Attacks are on the rise and security breaches cost more
Information security risks are on the rise. Points of vulnerability have increased dramatically. Remote access means that people can access company data from computers located anywhere in the world. The Internet, intranets and extranets are ticking time bombs just waiting to be detonated by hackers. Gone are the days when Pinkerton security guards simply locked up information in a vault at the end of the day. Consider this:

• A survey by Information Week and Ernst & Young (completed in July 1997) of 4,226 high-tech managers and IS chiefs worldwide, found that internal and external attacks are up significantly. (External attacks are up 42% versus 16% last year; and internal attacks from employees are up 43%, from 29% last year.)
• Industrial espionage victimized a record number of U.S. companies in 1997. Hits were up a whopping 38% in 1997, from 6% in 1996. Of the companies victimized, 84% can't put a financial figure to the loss.
• Viruses infected more than half the U.S. companies in the survey, and cost them up to $100,000 to eradicate.
• The Computer Security Institute found that information security breaches cost the 563 companies it surveyed more than $100 million in 1996.

What if an attack happened at your company?
Good question. Let's say a virus got into your company's information database via an employee who didn't scan his files with the latest virus protection software. If the virus is potent enough, it could bring your company to a screeching halt in a matter of hours. Hopefully, your IS department will eradicate it before it multiplies and wreaks havoc, but if it can't, expect to spend countless hours recovering data.

Even a simple 'hoax' virus message (not a real virus, but a fictitious warning about one that gets passed around by employees) can clog your e-mail system, shutting it down or considerably slowing mail delivery while it tries to process the huge overload of hoax messages.

Passwords are another problem. Most people pick passwords that are easily guessed, or worse yet, appear in some form on their desktop (the name of a pet, a favorite sports team, the name of a current project, etc.). If a hacker gets hold of a live password, he can access your company's top-level files in a matter of minutes.

You can see how important employees are to minimizing technical security risks, but don't forget all the other ways information can leak out of a company. For instance, a number of people on the commuter train overhear a conversation between two employees about the new marketing plan, or an employee leaves sensitive information unprotected on her desktop or inbox. Another employee throws the early drafts of a key strategic plan in his trash can. Had these employees understood information security and what role they play, these potentially costly leaks could have been prevented.

How do you gain employee support?
Give employees the information they need to help the IS department minimize security risks. Enlist employees by raising their awareness of your company's security issues. Remember: no information security effort is complete without employees' help.

Don't think you're off the hook just because you've published countless memos on the policies that govern information security. Chances are excellent they're dull and dry and no one is reading them. In this age of information overload, you must cut through the clutter with the right communication to get anyone to listen, much less act.

Treat your communication campaign as a highly creative endeavor. Better yet, think like an advertiser. Consider the current anti-bacteria, salmonella/e-coli craze that has everyone overcooking food and throwing away leftovers. The makers of household cleaning products helped perpetuate this frenzy by re-packaging their products with germ-killing ingredients, and making us believe that extreme danger exists on every single surface in our homes. It's enough to spur most of us into germ warfare.

You have to do the same thing with your information security campaign. It has to reach people in a way that makes them want to take action. Boil down your policies into specifics. Make it fun, make it scary, have a contest, or create a campaign icon. Have a brainstorming session with your colleagues.

There are a lot of ways you can approach your campaign. The important thing is to just get started -- post haste. Infiltrators and other nasty information thieves are busy chipping away at your company's defenses right now.