Security awareness training is essential for every organization. It is used to educate employees regarding information and computer security so that they can be aware of the threats that face such systems and the behavior that is expected of them to guard against those threats. Based on the security policy set by a particular organization, such training helps to foster awareness of how that policy protects the business, the employees, and its customers.
As such, security awareness training is useful for the organization as a whole, not least by ensuring that all employees understand potential threats and have the information that they need to better protect the organization’s information through proactive, security-conscious behavior. But it also has the benefit of enabling the organization to improve its overall security posture by making management more aware of potential security threats so that those threats can be incorporated into their overall risk management procedures and policies. This will allow the organization to be better able to anticipate and respond to threats at an organizational level, as well as to incorporate new threats as they arise and plan accordingly. As emerging threats are encountered, they should be incorporated into the organization’s security awareness training programs.
For many organizations, however, security awareness training is not just a nice thing to have in place. It is also specified in a number of industry standards, government regulations, and best practice guidelines. For international organizations, these include PCI DSS, ISO 27002, and COBIT.
Security Awareness Best Practices
During the recent RSA 2014 Conference in San Francisco, Ira Winkler, president of Secure Mentem, a firm dedicated to “the human aspects of security,” gave a presentation entitled “50 Shades of Security: Whipping Users Into Submission.” During this presentation, Winkler offered up a number of best practices for organizations looking to implement security awareness programs:
- Incorporate security into the interview process: Define security expectations during the interview and ensure that potential employees are aware of security requirements prior to accepting employment.
- Incorporate security into the hiring and indoctrination process: Ensure that employees know requirements before they accept the employment offer.
- Do the following throughout employment: Ensure that security practices are consistently enforced through a combination of awareness, technology, and process to implement security.
- Do the following upon separation: Ensure that the contract is reviewed and refresh security requirements to ensure that individuals know that the organization will protect their interests as well.
- Consider establishing a security focus group: Solicit broad employee participation and get input and implementation recommendations. Let the group negotiate security procedures, and provide methods for continued feedback and updating of procedures as feasible.
To ensure that training is effective throughout the enterprise, employees at every level should be included, from entry-level employees to top management, so that everyone gains a basic understanding, at least, of the requirements set out in security policies as well as their responsibilities in protecting the organization’s information assets. Insiders within an organization may not expose that organization to the greatest volume of security threats, but the threats that they do pose are among the most damaging, since employees often have direct access to sensitive and confidential information. By ensuring that everyone is aware of the risks and their responsibilities, as well as the sanctions that are in place for offenders, an organization can substantially reduce the threats that it could face from insiders, whether by accident, where an employee is not aware that what he is doing is wrong, or by dissuading employees from undertaking malicious activity.