Are you planning to implement a company-run information security training program? Then you’re not alone. In fact, more and more companies are finding reasons to promote information security education, training and awareness for all staff, not just those in IT.
A good security program is not only composed of technical tools protecting the IT infrastructure and professionals with the skills to fine-tune these tools and discover signs of attacks before they damage the organization. It also requires the involvement of the entire staff in the protection of the digital assets, ensuring that each employee understands his or her roles and responsibilities when it comes to protecting the confidentiality, integrity and availability (CIA) of information in today’s highly-networked systems environment.
To empower staff to take better control of digital assets in an era in which cybersecurity incidents are on the rise, SETA (an acronym for Security Education, Training and Awareness) is a great choice for companies to minimize loss of information assets and hold employees accountable. SETA is crucial to a successful company-run infosec program: “developing computer security awareness and training programs can help company employees with the knowledge and skills that will enable them to perform their jobs more securely.”
Employees in all departments are often considered the weakest link in a company security chain and, as such, are the target of new scams that exploit social engineering to access systems and information. As security tools get more and more sophisticated and systems more resilient, malicious hackers rely on the human factors to still carry out their actions.
The 2017 U.S. State of Cybercrime survey, a study conducted annually by CSO in partnership with the U.S. Secret Service and CERT at the Software Engineering Institute at Carnegie Mellon University, shows how 28% of the attacks attributed to insiders were unintentional or accidental. In addition, according to IRONSCALES 2017 Email Security Report, phishing accounts for 90% to 95% of all successful cyberattacks worldwide. Companies, then, would have inefficient (and incomplete) security programs if they did not also invest in the training of its resources.
“Adequate training for personnel can dramatically decrease the likelihood of a successful attack on a business. Unfortunately, as borne out by the recent attacks, businesses are continuously failing to adequately train their personnel. It is incomprehensible that businesses are overlooking this key component of their security programs. Yet they continue to do so,” says Michael R. Overly, CSO Online contributor. Taking organization-wide SETA initiatives is key to the company resiliency. A company-run training program that gets employees to focus on security can help to strengthen the outfit’s security posture, as well as protect systems and their data from the myriad of threats in existence today.
With the threat landscape presenting new challenges every day, exercising the importance of awareness and protecting the company’s assets comes down to implementing a plan that ensures guidance for all staff members of the organization to recognize these threats and deal with them appropriately.
Benefits of a Company-Run InfoSec Program
So the benefits of a security program that involves training and awareness are clear. But why should a company set up its own in-house program?
First of all, there is no such thing as a one-size-fits-all program. Each company has different needs and challenges, and unique workforces. A program built and delivered in-house can better account for the special needs of the employees and take into consideration challenges that are peculiar to the workplace or a specific department: the presence of remote workers, language barriers and different levels of IT literacy.
A much more refined customization is also possible, taking into consideration real-life episodes and challenges the organization has already faced and for which internal IT teams will have complete unrestricted records. A tailored, more personalized approach means also higher involvement from the staff that can relate to the material covered and see its application in their everyday lives and work.
Timeliness is also essential. An in-house program can be tailored quickly to address new issues and to accommodate new requirements, policy changes and the onboarding of new personnel. Running a third-party program might mean costs of frequent updating requests and the possibility of the training material becoming outdated too quickly as the company moves forward.
Budget, of course, is another consideration. Each company needs to do a thorough cost-benefit analysis, and some organizations with the right personnel on board in the IT department might find in-house programs easier to handle and budget for.
Setting Up a Company-Run InfoSec Training Program and Reinforce Learning
When choosing or developing training material, it is crucial to find out about the knowledge, skills and experience of the workforce in order to keep the level of information adequate, relevant and interesting. If the organization already has a risk assessment procedure in place, it can be used as a great tool to identify areas of special concerns to be highlighted during training.
Simply browsing through the InfoSec Institute offer, for example, shows many available tools that can be used to build a number of lessons effortlessly. The Institute lately released a new video training series geared at creating cyber-smart security ambassadors, which can be easily integrated in any program. The InfoSec Flex Courses teach cybersecurity and IT certification training for eligible business owners and their staff to gain or improve any skill sets.
It is important to focus on three key components of any security training program: prevention, detection and response. For a basic user, this can mean simply being taught measures that he or she can use to prevent breaches (password safety, for example), detect social engineering attempts (how to recognize baits) and respond (who to inform, what actions to take). On the other hand, employees in departments that handle PII data or sensitive company data assets might need a deeper understanding of regulatory requirements and the technology that is implemented to prevent unauthorized accesses.
Companies looking for regulatory help and a structure approach for a more formal security awareness training in support of their infosec program can also find information in resources like the NIST’s Computer Security Resource Center SP 800-50. Also: “the methodology in NIST Special Publication 800-16 provides a useful tool with which to develop IT security training courses,” as well as SP 800-50. According to NIST, “the two publications are complementary – SP 800-50 works at a higher strategic level, discussing how to build an IT security awareness and training program, while SP 800-16 is at a lower tactical level, describing an approach to role-based IT security training.”
An effective cyber defense strategy includes policies, training and software. Software provides the tools to automate prevention, detection and response to attacks as well as accidental leaks due to inattentiveness and negligence. Policies provide a regulatory framework as well as a blueprint to follow in order to design the entire InfoSec program specific to the organization. Training, however, is also essential as educating employees on security awareness is crucial to provide a first impermeable barrier against attacks to sensitive assets and for compliance mandates.
Dejan Kosutic, a CEO that leads the 27001Academy.com team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards, says: “No matter how you train your employees and how you make them aware of security, remember the most important thing: simply purchasing the new technology won’t increase your level of security. You also have to teach your people how to use that technology properly and explain to them why this is needed in the first place. Otherwise, this technology will only become what business owners fear the most—a wasted investment.”
This explains why there are more businesses now creating a cyber-smart culture. They do this through continuing education and initiating simulations and testing built into their company-run training program, more effectively engaging employees and creating a culture of security. This helps turn employees from one of the weakest links to one of the strongest.
Where internal employee training programs are falling short, of course, it is also a possibility to seek the services of professionals that can help determine the true needs of the organization. However, creating an in-house program that includes training devised by the company is a flexible, budget-conscious solution.
Security Awareness Training – Time to Jump on the Bandwagon, Breach Secure Now!