Updated: Nov 14, 2019
Employees are part of an organization’s attack surface, and ensuring they have the know-how to defend themselves and the organization against threats is a critical part of a healthy security program. If an organization needs to comply with different government and industry regulations, such as FISMA, PCI, HIPAAor Sarbanes-Oxley, it must provide security awareness training to employees to meet regulatory requirements.
Depending on the internal security resources and expertise available at an organization, it might make sense to bring in a third party to assist with security awareness training services. Regardless of whether outside assistance is leveraged, an organization’s leaders should understand what goes into building a security awareness training program, get involved, and offer feedback throughout the process.
Types of Training
Every organization will have a style of training that’s more compatible with its culture. There are many options, including:
Classroom training: This allows instructors to see whether learners are engaged throughout the process and adjust accordingly. It also allows participants to ask questions in real time.
Online training: This scales much better than in-person training, and it will likely be less disruptive to employee productivity since learners can work through the content from any location at their own convenience. This can also allow learners to work through the material at their own pace.
Visual aids: Posters in the break room cannot be a lone source of security awareness training, but when done effectively, they can serve as helpful reminders.
Phishing campaigns: Nothing captures an learner’s attention quite like the realization that they’ve fallen for a phish. Of course, learners who fail the phishing test should be automatically enrolled in further training.
In some cases, a combination of these may be the best option. Security awareness training is not a one-and-done exercise. Regular security training through multiple media is ideal, especially if the organization has high turnover rates.
Subjects to Cover
An organization’s unique threat profile should also be factored in when deciding what subjects to cover. Possible topics may include but are not limited to:
Phishing: Employees should be educated on how to spot and report phishing and the dangers of interacting with suspicious links or entering credentials on a spoofed page. Phishing extends beyond the traditional Nigerian prince email scam. Overviews should cover spear phishing, suspicious phone calls, contact from suspicious social media accounts, etc. Examples of phishing attempts that have affected other similar organizations will also be helpful here.
Physical security: Physical security requirements can vary on an organization’s nature. Since businesses should already have a physical security policy in place, this is a great opportunity to make sure employees understand the parts of the policy that apply to them, such as locking desk drawers and rules about allowing guests into the office. Training should also review how to report physical security risks, such as someone in the building who isn’t wearing a guest badge or sensitive data that is left exposed.
Desktop security: Outline the potential consequences of failing to lock or shut off computers at appropriate times and plugging unauthorized devices into workstations.
Wireless networks: Explain the nature of wireless networks and outline the risks of connecting to unfamiliar ones.
Password security: Complex password requirements and prompting employees to change their passwords on a regular basis should already be enforced, but password security training is still important to explain the risks involved in reusing passwords, using easy-to-guess passwords, and failing to change default passwords immediately. Authorized password management tools may also be covered
Malware: A training session on malware should define the types of malware and explain what they are capable of. Users can learn how to spot malware and what to do if they suspect their device has been infected.
Having a process in place to measure training effectiveness is essential. One way to do this is through a quiz. Quizzes should be issued before the training is deployed to get a baseline measurement and afterwards to see what has changed. If phishing exercises are conducted on a regular basis, organizations should keep track of whether employee response to these drills improves (or worsens!) after they’ve undergone security awareness training.
While it may be slightly less scientific, organizations can also try to determine the impact of training by looking for trends in the number and type of security incidents occurring over time as they add more employees and assets to their organization over time. It may also be interesting to have an individual walk around the office looking for exposed passwords, unlocked computers, and potential physical security risks a few times before and after training to determine whether behavior has changed.
Consider the Learner’s Perspective
Security may be a top priority for the security team, but other teams will have their own set of goals. Organizations should do their best to respect that time—ideally, training should be customized based on an employee’s role to ensure all of the training content is relevant to the individual and the work they do. This allows employees to focus on what matters and get back to work as quickly as possible. It also ensures that the riskier users at an organization, such as domain administrators, receive the right type of training that addresses risks and threats that are more relevant to the work they do.
When reviewing policies and best practices with employees, it’s important to always explain why each one is important. Users will be more likely to abide by policies if they understand the full context of them and believe it’s the right thing to do. For example, the risks of installing random software from the Internet become much more apparent to someone who sees how quickly a well-disguised piece of ransomware can encrypt all of the files on their workstation. Finally, organizations should avoid calling out individual employees or appear condescending if someone struggles with a training exercise. Instead, team leaders should focus on creating an environment where everyone is comfortable asking questions and reporting incidents.
At the end of training, users should leave feeling empowered to help protect the organization and excited to collaborate with other teams to create a more secure environment. Understanding your organization's unique needs and culture will be critical to making this training a success.
Credit: CybersecurityHub, R7.com
© De Angelis & Associates 2019