Learn the best practices for developing a security awareness training program that is engaging. Engaging awareness programs have been shown to change more users’ behavior and are seen as an asset for your organization instead of annoyance.
Nowadays, security awareness training (SAT) is a top priority for organizations of any sizes. Thanks to SAT, management and employees can understand IT governance issues and control solutions as well as recognize concerns, understand their relevance and respond accordingly. Many companies invest heavily in cybersecurity education programs for employees to learn how to protect their computer and personal information and how to be aware of the many hacktivists and cyber-criminals that scour the Web in search of targets and vulnerabilities.
Apart from employing corporate risk managers, IT managers, and also making use of security defense solutions (firewalls) and protection systems (IDPS), it has become necessary for companies to conduct training for everybody as part of the security strategy to reduce exposure to data integrity attacks and other threats. As breaches become more common, to take security awareness on board in an organization can reduce risks. Educating users can help lessen the chance to become victim of an intrusion attempt that targets one of the weakest links in the cybersecurity chain: end users themselves.
Why a security awareness campaign is necessary?
The purpose of periodic security awareness training is to develop essential competencies, new techniques and methods that are so essential in facing possible security issues. Investing in SAT can provide some level of maturity in incident response and help protect corporate resources; by adopting an IT Security Awareness Program, a company greatly increases its security-related risk posture.
Awareness programs provide a great way to educate personnel and keep the company’s IT security policy fresh in their minds. The idea behind a campaign is to motivate people to take information security seriously and respond accordingly, as Steve Durbin, a managing director of the Information Security Forum (ISF) emphasized in a CIO post. Any technical defense measure would be useless if the entire staff is not cyber-aware; a good security program has everybody involved by staying current with new technologies and understanding the common types of threats or attacks that can affect business operations.
The company’s information security program depends on a well-informed workforce; training can effectively improve the end user response against cyber-attacks perhaps early enough to ensure the continuation of business operations in the wake of a breach. An awareness session can help employees learn to use the right technology in the proper way to ensure security of all platforms without affecting operations and while defending against a wide range of cyber threats. By holding training sessions in which people are learning together, everybody can be informed of the information security structure, so that they all can tackle any issues collectively.
Though embedding a culture of security within an organization is no overnight task, says Michael Cobb, the founder and managing director of Cobweb Applications Ltd., an effective “training programme has to make it clear that information security is an integral part of everyone’s job with ownership, responsibility and accountability for risk made obvious in policies and job descriptions.” Furthermore, “[d]ue to continually evolving technologies and threats, you will need to update and repeat your awareness programmes as you update your security policies.”
Regular training can be in a group setting. Such a program should be available on a continual or as-needed basis. It may come from within the organization by someone in the IT department, by an external trainer or via the Internet.
Why security awareness is important for managers?
Is security awareness only for employees? Certainly not. Experts agree it is time for managers to move into a more active role when it comes to IT security. Nowadays, managers are required to be technologists in addition to business leaders, with the ability to address security concerns as well as manage somewhat complex technologies.
One of managers’ key responsibilities is to develop the workforce to ensure each employee is properly trained. While user training is an essential part of any security program, it is equally important for managers to show employees they too are team players equally invested in the company’s security success. They must act consistently with company cybersecurity policies and develop their own knowledge and skills.
In general, not all managers are Infosec geeks enough not to have any security awareness training. General familiarity of IT and security issues is necessary, as they normally play a big part in the oversight role of the cybersecurity readiness of their workers. The manager’s prime responsibility must be to develop people so they can take the necessary steps to assess, identify and modify the company’s overall IT security posture. They need to ensure that staff complies with corporate policies and abides by written standard operating procedures, directives, resources, etc.
To do all this, managers must lead by example. Managers need to become leaders and not only supervisors of workers. They need to have an understanding of the technologies being used to make sure that the company’s security goals are being met, perform regular audits and rigorous assessments and attend company-required security awareness trainings regularly. When a manager leads by example, the positive impact to the organization (or the individual members of staff) is significant.
How to train managers
Training managers, especially senior managers, presents unique issues. It is great for them to attend a general security awareness session open to all employees as it really would show management’s commitment to the program; however attending an hour-long session might not always be feasible for a busy executive. Preparing a short, to-the-point session for managers might be the ideal solution to ensure the key points are highlighted and the manager is aware of the importance of the program and its effects on the company security readiness.
A meaningful managers’ training can include highlights of company policies in the realm of cybersecurity, so that managers are ready to guide their supervised section as needed. Everybody shall learn how to detect, report, and how to react to any security problems.
In addition, a trainer needs to discuss topics that are particularly relevant to managers. For example, executives often travel and need to be made aware of risks involved with the use of mobile devices as well as of issues related to browsing through hotspots and public Internet facilities too.
Executives are also often the primary target of spear phishing and Advanced Persistent Threat (APT) attacks, so it is important that they are made fully aware of the techniques used by cybercriminals to lure their targets and know what they can do to defend themselves and their systems.
A meaningful discussion can also include specific cybersecurity incidents incurred by the company, estimated costs for recovery and what the ROI is expected to be for a meaningful awareness program that includes company employees at all levels and in any department.
It would be important that, like employees, managers have access not only to individual sessions but also to group sessions (to exchange ideas with other executives) and online training for a refresher course anytime and anywhere.
As pointed out by Jyothish Varma in a recent SMB Security Guide post, many “cyberattacks could have been prevented if employees had received thorough training on proper security protocols.” In addition, research shows that “employee negligence is the leading cause of data breaches.” Cyber awareness training, then, can and does have an impact on actual security.
As businesses depend more on technology, they also depend on a number of information assurance decisions that calls upon managers to know how to prepare for and prevent a cyber-attack. It takes dedicated office managers, who are eager to learn and willing to do what it takes to educate themselves and the staff on why IT security is relevant, to combat any cyber threats that they may affect a workplace in an efficient and effective way.
Involving managers in awareness training not only helps them understand today’s cyber security threats and be fully aware they are a preferred target of focused phishing attempts( and therefore could be responsible for breaches), but it also ensures they embrace the awareness program as a whole. As protecting the integrity of an on premise infrastructure requires non-IT staff to be fully trained on cybersecurity principles, general managers shall become computer-savvy and familiar with IT issues. In this way, they can support the technology transformation in their workspace for operational efficiency, while still contributing to ensure the security of the IT infrastructures.
Even more, they can lead other employees by example and convey the message that cybersecurity is everyone’s responsibility within an organization. All department managers, and not just those in the IT sectors, have a personal responsibility to protect the company’s computer network and its data.
Cobb, S. (2012, October 12). Study finds 90 percent have no recent cybersecurity training. Retrieved from http://www.welivesecurity.com/2012/10/10/study-finds-90-percent-have-no-recent-cybersecurity-training/
Durbin, S. (2014, July 9). Why Security Awareness Programs Fail. Retrieved from http://www.cioinsight.com/security/why-security-awareness-programs-fail.html
Spitzner, L. (2012, January 5). Security Awareness for Senior Management. Retrieved from http://www.securingthehuman.org/blog/2012/01/05/security-awareness-for-senior-management
Varma, J. (2015, January 28). Questions to Ask When Exploring Security Awareness Training Services. Retrieved from https://www.smbsecurityguide.org/questions-to-ask-when-exploring-security-awareness-training-services/