Security Awareness Training is an essential, proactive control, which allows organisations to get key messages across to employees.
Without Security Awareness Training, businesses should ask themselves just how confident they would be that all of its employees would know how to do the following:
- Handle sensitive information (credit card details or personally identifiable information)
- Know how to identify a phishing attack
- Identify and challenge an unauthorised person in the office
- Report a security incident
- Know where corporate policies are kept or what they are called
A good information security strategy should be a balanced mix of good advice, real-life examples and corporate messages, and should include incident response processes, policy outlines and data classification, which should outline management policies regarding storage, retention, disposal and transmission of data. In addition to this, an effective strategy should include key advice that an employee can use both inside and outside work, starting with the basics – for instance, do they understand how insecure their mobile devices really are?
There are three popular mediums of security awareness training as described below:
This consists of poster campaigns, email drops and other non-interactive information distribution methods. Whilst this medium is undoubtedly the cheapest and easiest to reach a large audience, it is very difficult to gauge its effectiveness. Once a poster has been on a wall for a week, it becomes part of the furniture. Equally, if an employee receives an email, how can you be sure that they have read, rather than immediately deleted it?
An online portal is another good and affordable way to get messages to a wider audience. In this instance, it is possible to customise data to articulate key messages, provide interactive options and even conduct quizzes to gather feedback in terms of attendance and to ascertain whether the audience has understood the content. An interactive portal also has minimal effect on resources; content can be viewed at the convenience of an employee, so it does not impact on their day-to-day work. This is likely to be the most suitable option for large multinational corporations.
Instructor lead classroom training session is oftenthe most effective in terms of impact, but this comes with the greatest cost and potential disruption to a business. A good security awareness trainer will be able to tailor their content depending on the interaction with the audience, to ensure its key messages are clearly understood by everyone. By engaging with the audience, a trainer will also be able to gather information from attendees regarding employee habits and undocumented processes. This information can be invaluable in terms of understanding where key risks may lie within an organisation.
The reality is that often a blended approach for your different users and environments is required. Mixing annual online training with periodic instructor led training, backed up with regular posters and newsletters can provide you the greatest assurance that training is being effective.
To ensure learning and behaviour change is taking place this can also be supplemented with proactive testing around simulated phishing attacks, office visits, social engineering testing and incident monitoring.
Please remember that good security standards always follow the 90/10 rule:
- 10% of security safeguards are technical.
- 90% of security safeguards rely on the computer user to adhere to good computing practices
Regardless of the format, Security awareness training is an essential accompaniment to any control being implemented, it is essential that we train our employees to understand how to use these controls in order for them to be most effective. How good is a lock on a door if we don’t close the door? How good is a password if it’s written on a Post-it note? How good is a Firewall if there is an open rule base?
To contact Nettitude editor please email firstname.lastname@example.org.