Learn the best practices for developing a security awareness training program that is engaging. Engaging awareness programs have been shown to change more users’ behavior and are seen as an asset for your organization instead of annoyance.
As an IT Security Officer for a large financial services organization, maintaining a high level of staff awareness is a key aspect of my role.
While we have been fortunate enough to date (touch wood, fingers crossed, etc., etc.!) to have avoided any major security incident, my experience would bear out the widely-acknowledged view that the weakest point in the security regime is most likely to be the user. Incidents caused by the user – usually inadvertently – represent the highest percentage by far of those reported or detected.
And so, an effective security awareness program is one of the most important measures to safeguard against the potentially significant, if not catastrophic, business impact to an organization such as ours arising from a major security breach whether in terms of financial loss or damage to reputation.
The priority given to security awareness, which our organization’s chief executive and senior management team have endorsed, may be a key reason for our good fortune up to now. (Again, touch wood, fingers crossed, etc.!). This has helped to embed a culture of good practice in relation to security within our organization.
Security Awareness presentations are a vital part of any awareness program (but not the only one and I will touch on other components that should also be considered later), and a useful checklist for a security awareness presentation would be as follows:
Security Awareness Presentation Checklist
Ensure you are clear as to what the content of the presentation is going to be. Identify any key points in your security policies and security-operating procedures that you need to reinforce.
For example, what are the requirements and arrangements for reporting any actual or suspected security incidents? Who should be notified? What is meant by a security incident? Which leads on to number 2.
2. What is meant by Security and what would constitute a breach?
The good old C,I,A trinity – Confidentiality, Integrity and Availability – are useful to help with these definitions. That is, anything that might adversely impact any of these three factors could be considered a security incident. Referring to one or two topical incidents from the media (and there is usually no shortage of these) helps focus minds on the potential impact when things go wrong – although I believe this is can be overdone at times and I would try not to over-hype the threat landscape.
3. Keep it as simple as possible.
Focus on the key requirements. Ask yourself what would the average staff member need to be aware of to avoid any security issues in carrying out their normal daily duties. Don’t include all aspects of the security policies and procedures – much of which will be irrelevant (and boring) to the average member of staff. Use a simple structure for presentation slides and handouts.
For example, in the past I have a used a small set of slides focused on three key areas: “dos”, “don’ts” and “what you need to be aware of” with the content put together from the previous two steps above. Be prepared – for example, by adding notes to the relevant slides – to be able to provide clarification as to why each requirement is important. What is the potential adverse impact to the organization – or the individual members of staff – if the requirement does not receive compliance. A few pages covering key aspects of your security policy and procedures should be sufficient as a handout.
4. Keep it light
Avoid text-heavy slides and technical jargon – and encourage questions.
5. Guidance on personal IT security
Providing some guidance that is also relevant for staff concerning their own personal, home IT use also helps maintain interest and achieve commitment to good practice generally. Advice in relation to the use of social media would be a good example. In particular, ensuring that staff are aware that they must not use their official work account password as the same password for their social media site.
6. Do the presentation yourself
A key benefit of delivering the security awareness presentations is not so much to do with the content but rather that staff can now put a face to the name when it comes to their IT Security Manager. They will know whom to contact if they have any concerns or need any guidance on Security matters and – importantly – to whom they should report any security incidents.
If you don’t have the necessary experience or training to deliver the presentations yourself and have delegated this to your training team, make sure you are present at least – to be introduced and to cover any questions.
7. Consider the line manager’s role
Line managers are normally best placed to oversee staff compliance with security policy and procedures and, for example, to ensure that any security incidents within their area of responsibility are reported. In our organization, this responsibility was added to the formal job description of those with a line management role. I underlined this during the awareness training presentations while making clear also my availability to provide advice and guidance and support when needed.
8. Provide details of resources for further guidance
The IT Security manager’s contact details are the most important but include also any other relevant resources – for example, if you have an Intranet site with an area on security guidance or policy, provide details of the links.
9. Not a one-off event
Ensure that all staff attends the presentations and “mop-up” sessions are arranged as required. Then revisit the security presentations for new staff and as refresher training for all staff at least every 2 years.
10. Get feedback and act on it
It’s important to get feedback on the security awareness presentation – via questionnaires completed by the attendees, for example – to identify any changes that might be useful when carrying out any future presentations.
As mentioned earlier, a security awareness program is more than just presentations. Other measures to complement the presentations would include: the development of a Security area on the organization’s Intranet; regular email reminders to all staff – preferably endorsed by the chief executive – summarizing key security policy requirements; posters with key security messages to be put up in the building elevators and other appropriate locations (other media could also be considered for such key messages e.g. mousemats or other promotional material); and security articles in any in-house magazine.
Security awareness presentations are an essential measure to help embed a culture of good practice in relation to security within an organization.
Presentations should be carefully planned and the key messages from your security policies and procedures identified and used as the content. Think about what you can exclude, so you avoid boring staff with stuff they don’t really need to know. Focus on what is essential to help staff comply with good security practice in their day-to-day work.
Remember that security awareness presentations should not be a one-off event but need to be carried out regularly.