Skip to main content

Critical Considerations for Effective Security Awareness Training

By: Morey Haber, vice president of technology at BeyondTrust

One of my favorite spam emails are the ones from cyber security companies soliciting security awareness training for your employees. Think about it. You are receiving spam email, potentially a phishing attack, from a company offering services on how not to fall for a fraudulent email scam!

Security awareness is much more than training, knowledge, and attentiveness. It needs to be part of the culture in your business, a part of your everyday lives, and is much more than identifying the latest phishing email. Security awareness is not a paranoia, but can be looked at in the extremes if misunderstood. This was certainly the case when Yahoo labeled their security professionals the “Paranoids”. Security awareness does require education, but it also requires intelligence, when to respond and when to correctly ignore a situation. If every event, alarm, and situation becomes a problem, security awareness is no different than extreme paranoia. This can take on many forms from cyber security, to physical access. It can be overly dramatized by requiring all visitors to register their laptops upon security check in to a building as a visitor but then denying them even guest access to the Internet or corporate network in any form.

Security awareness needs a causal relationship of action, threat, and outcome not just a blanket statement of denial, or a ‘do not do’. This is how we take basic education and training past guidelines to intelligence and attentiveness—knowing why it is a problem verses just following the mandate. Therefore, when we consider security awareness education, we need to consider the following factors in our corporate training:

All businesses have crown jewels. Whether it is sensitive data, physical assets, personally identifiable information (PII), classified government material or just private information in general. Team members should be trained on what this information looks like, how to handle sensitive information, and what could happen to them, and the business, if the information is stolen; physically or electronically.
Security awareness also has a legal component. All employees, contractors, and applicable third parties handling sensitive information should be trained, and when appropriate, sign a nondisclosure agreement.
The labeling and handling of sensitive information is key in any form used to communicate the contents. This could include labeling emails as confidential, appropriate levels of encryption for storage and transmission, and even include the destruction of material from shredders to wiping disks securely.
The concepts of authorization and authentication are key to security awareness. This includes everything from biometrics, to passwords and multi-factor authentication. Context aware access from geolocation to concurrent login information is a major part of this and ensures proper methods for protecting access to sensitive information and applications as appropriate.
Traditional security awareness training covers cyber security threats and modern attack vectors like malware, phishing (in all forms), and social engineering. This is more than just “do not click on a link”. It needs to cover why you should not click on a link to raise the bar of attentiveness and ultimately intelligence.
Physical access is just as much a part of security awareness training as cyber. This includes building access, door access, security badges, and reporting of incidents. If a stranger is present, how would you notify the appropriate people? This also includes possessions that should never be permitted in the workplace, even personal computers.
And finally, for all the grandeur of security awareness, all team members should be aware of the consequences in the event of a violation. This could be personnel discipline but also should establish ground rules for what can happen to their employment or company if a violation occurs. If people understand the risk, and why, they are more likely to show attentiveness to the problem than if it is “just policy”.
In the end, security awareness means you comprehend that there is the risk for individuals to deliberately or accidentally steal, damage, or misuse the information or assets prized by an organization. Raising awareness can come in many forms from education to cultural changes but in the end, it must be a part of daily business in order to be effective. Just by stating “we have done our annual security awareness training” is simply not enough but unfortunately this seems to be the case in several businesses in the Middle East. According to a 2016 PwC report[1], only 37% of businesses surveyed have a comprehensive security and training awareness program, against a global average of 53%. Furthermore, only 32% of Middle East organizations require their employees to complete training on privacy policies and practices (compared with 55% globally).

Any good executive understands the importance of measuring the business. I would encourage all teams to measure the effectiveness of security awareness training, policies, and procedures via penetration tests and role playing. This could even include basics like online based situational tests that are required for all users to participate to confirm basic knowledge transfer. Therefore, security awareness should be viewed as a key enabler, not just a policy and rules restricting the business.

If anything, it could end up saving your business. 

Comments

Popular posts from this blog

Cloud Computing powering India’s priority of ‘Digital-first country’

By: Sunil Mahale, India MD and VP, Nutanix
Digital transformation has been recognized as being vital to the growth of our nation. This transformation has enjoyed the unanimous approval and contribution from all stake holders including enterprises, MSMEs, government bodies and citizens. But this level of adoption in a country with a population of over a billion people would need a robust technology base that is capable to collecting and distributing vital data seamlessly.
Digital India envisions creating high speed digital highways, that will impact commerce and create a digital footprint for every individual. Technologies based on mobility, analytics, Internet of things and most importantly, cloud technologies are the building blocks for the digital India missionThere is a growing need to manage huge volumes of data, and making them readily available to public through digital cloud services. Cloud has a pivotal role in enabling this change.
While Data centers have become crucial to th…

RevStart launches its RevItUp Incubation Programme

Underlining its vision of creating a nurturing ecosystem for start-ups to grow in, RevStart, a co-working and incubation centre, has announced the launch of its RevItUp Incubation Programme. The 12-week long programme will be held at RevStart Incubation Centre in Noida from July 1, 2018 onwards. As part of the programme, RevStart will select five high potential start-ups from the ed-tech sector, AI, Consumer Internet, Sustainability, as well as for-profit social impact companies to assist them with developing their business, along with connecting them to global mentors across industries and sectors. In addition, start-ups selected for the programme will receive INR 5 lakh to Rs. 25 lakhs worth of cash and benefits, while RevStart will get an equity stake in the ventures.
The RevItUp Incubation Programme has been created to enhance the founding team’s industry, product, and company building knowledge and capabilities through a world-class curriculum. The programme will focus on tailor…

Insurtech startup Kruzr raises $1.3 Million from Saama Capital and Better Capital

InsurTech startup Kruzr has raised 1.3 Million USD (Rs. 9.5 Cr) for its seed round led by Saama Capital with participation from Better Capital. Kruzr is a preventive motor insurance technology which helps insurance companies personalize policy premiums & improve their risk model by delivering an engaging preventative driving assistant to their customers. Kruzr is founded by Pallav Singh, Ayan, and Jasmeet Singh Sethi.

Kruzr blends the power of voice technology and artificial intelligence in its personal driving assistant that helps drivers minimize mobile distractions, drowsy driving, speeding and external risks like weather and accident-prone zones. In pilots with insurers, Kruzr managed to cut down distracted driving by 80%. Kruzr is working with motor insurance companies in Europe, UK and India to bring its technology to their customers to prevent accidents & improve claims.

“Road accidents cause over 1.3 million deaths globally every year, and motor insurance companies los…