Security Awareness Training is an essential component of any organisation’s information security.
Even though it is mandated by frameworks such as PCI-DSS or ISO 27001, Security Awareness Training should be more than just a compliance exercise. A good security awareness training programme will drive changes in behaviour amongst staff, suppliers and customers that will improve the security stance of the whole organisation.
The term ‘awareness’ implies the training is focused on knowledge transfer however effective modern Security Awareness Training is focused more on changing behaviour not simply passing on information.
If you are a security or network manager responsible for ensuring security awareness training happens, this article will provide you with 5 key questions your training needs to address.
To be effective, your Security Awareness Training programme needs to provide your team with the answers to each of these questions:
What are the policies that affect me?
You can’t win at a game if you do not understand the rules. So, the foundation of any awareness training is ensuring that everyone has access to the Information Security Policy (the main policy, and all its related policies and procedures) and has a chance to read it and ask questions on any sections they do not understand.
You cannot comply with a policy that you do not know exists or that you do not understand.
- Provide links to Information Security Policy Library
- Consider a summary video or document which outlines how to find the answers to common policy questions or use cases in the security policy library
What are the tools I can use to help me keep data secure?
Security breaches are more often enabled by employee error and ignorance rather than malice. Your Security Awareness Training programme is the best opportunity to ensure every team member knows the right tools to use in order to securely and safely complete their tasks each day. It is here you can counter the impression that ‘the security team gets in my way’ and replace it with ‘the security team provides me with tools so I can easily do my job.’
When well-meaning team members mis-use security tools they can put data or systems at risk. A typical example of this kind of error would be complying with the need to use a password to protect the contents of a spreadsheet of customer details – and then including the password in the body of the same email when sending the document to an external partner.
- Explain how to use software tools provided for secure data transfer and encryption – show how to select the correct settings or options for different tasks.
- Provide an easy to follow guide that helps less technical staff pick the right tools for each job
What are the things I must not do?
You don’t know what you don’t know. All security managers have a story or two of well-meaning colleagues who left the crown jewels exposed due to their own ignorance of the risks and dangers. The security press is filled weekly with tales of AWS buckets or customer databases left exposed and unsecured on the Internet.
People are comfortable with certainty and can happily cope with ‘thou shalt not’ lists of commandments – as long as they are easy to understand, and a safe alternative is provided which allows them to get their job done.
Consider how posters, desktop reminders and intranet homepage messaging can help reinforce key safety messages as part of an ongoing programme to security awareness. You do not need to cover everything in the first few days – instead create a roll out plan which lasts all year.
People tune out when they hear the same message on repeat – so variety is essential in order to improve the impact of your communication.
A communications plan which focuses on a different aspect of security each month – along with articles on your Intranet and posters in the offices – helps security become a way of life rather than a one-off annual exercise.
An example annual security awareness communications plan:
|January||Safe and Strong Passwords|
|February||How to spot Phishing emails|
|April||Keep software updated|
|May||How to raise the alarm|
|June||Test incident response plan|
|July||Remote working safely|
|August||Safe and Strong passwords|
|September||Sharing Data securely|
|October||DO’s and DON’Ts|
- Create an annual messaging plan which focuses on different key messages each month
- Provide a clear and non-technical list of DO NOTs for everyone to follow
What are the risks / danger signs I should look out for?
When the fire alarm sounds everyone in your office knows what to do. They leave their desk, take the stairs and go stand in the car park waiting for the firemen to arrive. Everyone knows what to do, and in the event of a real fire, rather than a drill, no-one would have to ‘make it up as they go along.’ If someone smells smoke, they know how to raise the alarm and what they should and should not do next.
In a cyber-security context – how can you teach your team to be ‘smoke detectors?’
Technological measures will never be 100% effective against evolving cyber-security threats. The last line of defence is the Human Firewall – the accounts clerk who decides whether or not to open the excel file attachment in the email they just received.
By using examples and demonstrating how criminals can attempt social engineering your team can be trained to spot potential threats or unexpected behaviours – and raise the alarm with confidence.
Simulated phishing attacks can be effective in helping staff realise how easily they can be tricked into clicking on a malicious link.
Identify the risks most likely to impact your business and provide training around them. This could include:
- Phishing attacks by email
- Social Engineering on the phone
- Social Engineering in person
- Attacks against devices exposed to the internet
- Compromised computers used by remote-workers
- Supply chain attacks
- Compromised devices in connected networks – such as supplier’s network which has a VPN link to your network
- Provide practical examples in the training so people can see how the systems they use every day could be attacked
- Occasional simulated phishing attacks can keep staff on their toes and watchful
How should I respond if I suspect a threat?
Finally, staff should be given clear guidance and permission to ‘press the fire alarm’ if they suspect a cyber-threat to the business. This will look different in each organisation – but just as the fire alarm is easily found and visible in every office – the means for raising the alarm for a cyber-attack needs to be equally accessible.
Some frameworks, such as PCI-DSS, mandate regular testing of the Cyber Security Incident Response plan – the fire-drill in other words.
- Hold regular ‘fire-drills’ so the whole team knows what to do if they suspect a security threat.
- Ensure contact details for the cyber first-responders are well known and easily found.
Security Awareness Training will help your team embed cyber-security as ‘business as usual’ rather than an inconvenient afterthought.