Who Should Be Able to Opt Out of Security Awareness training - and How
Brad Johnson is adamant that no one in an organization should be exempt from security awareness training. Not the CEO. Not the chief security officer. Nobody.
Johnson, the vice president of SystemExperts, says that making exceptions on the security awareness training front would only open companies up to a host of problems that otherwise might have been avoided.
See Infosec IQ in action
"Who should be able to opt out of security awareness training? The simple answer is nobody," says Johnson. "Yes, I said nobody. What about the chief security officer? Nope. What about the director of IT management? Nope. And so on, and so on. Let's ask this same kind of question in a different context. What NFL player should be able to opt out of practice? Should an NBA player be able to opt out of warm-ups?"
Johnson, who has participated in seminal industry initiatives including the Open Software Foundation, X/Open, and the IETF, is one of the many experts who insists on providing training without exceptions. Rather than considering who should be able to opt out of security awareness training, Johnson says that companies need to mull instead over what sort of training should be provided to employees.
While the experts believe that everyone from the top to the bottom of organizations need to take security awareness training, some believe that the trainers who lead out in such programs can potentially be exempted on account of their extensive knowledge base and expertise.
Background Stats
According to the 2015 US State of Cybercrime Survey, cyber security incidents are both increasing in number and becoming more and more destructive. Moreover, adversaries behind the attacks are investing not only in technologies but also in training their crews to attack with greater efficiency. If the bad actors believe in training, then so, too, should the companies that often find themselves on the receiving end of cyber attacks.
The study notes that businesses that invest in and implement new technologies to safeguard against cyber attacks, without updating processes and giving workers training, will probably fail to get the full value out of their spending. And while security awareness training is critical, only 50% of survey respondents acknowledge that they run periodic security awareness and training programs, and only 50% of respondents admit that they provide security awareness training to new hires.
Training for All
CenturyLink CSO Dave Mahon previously served the FBI for over three decades, during which time he was responsible for investigative teams and programs that dealt with targeted attacks on the Internet, computers systems and networks.
Asked if there are situations where it might be okay to allow workers to forgo training, he says that his general response is no. There may be extenuating circumstances, though, like illnesses where workers miss training or unique situations where certain employees may not have to access the corporate network or to look at the data.
"Could there be one-off scenarios, yes," he says. "But keep in mind what the objectives of all employees, really, and all contractors or third parties who connect to your network or have access to your data is. If you think about the objective of training initiatives, those objectives help you decide if there are any exceptions that should be allowed."
On the cybersecurity training front, the objective of all training for employees and contractors is to be certain of the availability, safety and integrity of corporate networks and data, says Mahon.
"If you look at the incidents that occur in a corporation the size of CenturyLink, which is about 44,000 employees and another 20,000 contractors, a high percentage is caused by employees," he says. "Most of it is caused by good employees who make a mistake, do something over the normal course of the day unintentionally."
Ensuring that workers understand how to conduct themselves when using the corporate network is the responsibility of the information security team, notes Mahon, and this means that the team needs to provide the right sort of security awareness training.
There are many good reasons why businesses shouldn't permit their employees to skip security awareness training, adds Rob Kraus, director of security research and strategy for Solutionary.
"Security awareness training is an opportunity for organizations to reinforce existing policies, and to update employees on changes in these policies which they might not be aware of," says Kraus, who specializes in vulnerability research, threat intelligence, incident response, application security assessments and attack mitigation tactics. "It also allows organizations to introduce new policies and procedures that have developed since the last training session."
It's also important for companies to ensure that security is part of their corporate culture and that they send the right message to their workers, says Kraus, author of Seven Deadliest Microsoft Attacks and co-author of Seven Deadliest Network Attacks.
Excusing the Trainers?
Agreeing that there should be no exceptions, Morey Haber, vice president of technology for BeyondTrust, adds that the trainers could warrant an exception.
"There should be no exceptions to security training within an organization except for the trainer…, which is obvious if internal staff does it," he says. "The trainer has gone through extensive preparation…and should be certified as a CISSP or equivalent in order to perform the session. Their preparation far exceeds the material being delivered and basically makes them exempt."
Haber, who joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition and currently oversees strategy for both vulnerability and privileged identity management, adds that – outside of trainers – security training should include everyone in the organization. That includes IT staff, security pros, and executives.
[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]
"Basically, it should be mandatory, just like any other mandatory program an organization has established," says Haber. "It also sends a strong and healthy message to all employees that anyone at the organization can be a victim of a cybercrime and that all individuals need to be…reminded of what to look for and how corporate policy includes them."
Mahon certainly agrees that IT staff, security professionals, and executives need to undergo training, but he disagrees with the idea of granting the trainers exemptions. The first reason to train the trainers is that they need to set the example.
"Number two, very smart people who think they know a great deal are frequently the ones who are victimized during a compromise," says Mahon. "They need the training like everyone else. I would not exempt them at all. In fact, you could make a very logical argument that they are at a higher risk of causing damage to the company simply by the nature of their position in the company, the level of access they would have…"
What Kind of Training?
At the end of the day, what it comes down to is figuring out what sort of training workers need to help them avoid being victimized by a cyber attack. And that's where the hard work comes in because companies need to figure out how much training workers need, how often they need it and when they need it.
"The real question is: What kind of security awareness training is appropriate for you?" says Johnson from SystemExperts. "Everybody needs to spend time and energy on reminding themselves of what's important to be successful in their job and…what's important for everybody else to be successful."
Phishing simulations & training
Everyone, after all, requires some sort of security awareness training, he notes, and this training must reflect both skill level and duties in the workplace.
In this Series
- Who Should Be Able to Opt Out of Security Awareness training - and How
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness