Awareness Training: Strengthen Your Weakest Link
Security is only as strong as your weakest link. In many organizations, this weak link is the lack of appropriate security awareness training. Not dealing with this critical need leaves the organization more vulnerable to accidental or intentional compromise of sensitive business information. All employees and third-party users who come into contact with sensitive information should receive appropriate training and regular updates on business policies and procedures.
Businesses must communicate information such as security policies, legal responsibilities and business controls to the workforce, as well as training employees in the correct use of information processing facilities (e.g., use of mobile devices, access to the Internet, exchange of e-mail and other services where sensitive business information may be shared).
Scope of Training
Businesses must educate employees about the vulnerabilities of organizations’ sensitive information, and share ways to protect that information on a regular basis. The amount and type of training depend on an entity’s configuration and security risks. Business associates and other individuals who have access to sensitive information must be aware of the appropriate security measures to reduce the risk of improper access, uses and disclosures. Training is not a one-time activity. Rather, it is an ongoing process that evolves as security and procedures change.
Training may be tailored to individual roles if the business deems it necessary. If so, it must be customized based on specific job responsibilities. Training must be focused on issues regarding the use of sensitive information and responsibilities regarding confidentiality and security. All employees must be trained to better understand enterprise security objectives, vulnerabilities and the need for security policies that address passwords, malicious software and network access.
Specific topics that must be considered for coverage in a security awareness training session for all members of the workforce include:
- Motivation for Information Security: This area includes business security objectives, security policies, regulatory compliance requirements, privacy and security, and business responsibilities.
- Protecting the Business: This area includes flow of sensitive information, threats and attacks, and client (or customer) rights.
- Critical Security Policies: This area includes passwords, malicious software (viruses, trojans, worms, spyware), e-mail policy, Internet/Web policy, desktop security, wireless security and sanctions policy.
- Physical Security: This area includes data on PCs, monitor positioning and logon/logoff.
- Individual Responsibilities: This area includes business security contacts, incident reporting and confidentiality agreements.
- Assessment: This includes 10 or so questions to evaluate results and reinforce the training.
Getting Started: Critical Steps
Consider the following five steps to plan and organize a security awareness training program:
Step 1: Training Needs Assessment
Establish the training needs of the organization. This may be done through interviews. It is important to involve key personnel in assessing and influencing the security-training needs. You will need to identify:
- Any security awareness training that is being delivered to any group or department.
- Regulatory requirements.
- Training priorities of different groups or departments.
Step 2: Training Priorities
Develop a written training strategy. Clearly establish the target audience, the learning objectives, the training deployment method, evaluation, measurement techniques and the frequency, as well as the duration of training. You will need to address topics such as:
- Procedures that ensure everyone receives security awareness training.
- Types of security training needed to address specific technical topics based on job responsibility.
- Any regulatory compliance requirement that influences the scope or content for security awareness training. Security awareness needs to be discussed with all new hires.
- Reinforcement of security issues and awareness during routine staff meetings.
Step 3: Training Content
Focus on training content. Select the topics that may need to be included in the training materials. These topics typically include:
- Password management
- Incident reporting
- Malicious software
- Monitoring login attempts
- E-mail security
- Internet and Web access policy
- Wireless and mobile devices policy
- PC (workstation) security
- Auto logoff (screen savers)
- Sanctions policy
- Confidentiality agreement (that employees execute)
You also will need to determine if employees have received a copy of the organization’s security policies or if these policies are easily accessible over the intranet. Further, you will need to establish the training budget.
Step 4: Delivery of Training
This is where the rubber meets the road. All employees must receive adequate training to fulfill their job responsibilities. You may want to consider developing modules that are customized for a few specific groups of job roles. For example, these roles might include executive management, end users, department or group managers and contract workers. You will need to schedule and start the process of managing the delivery of all security awareness training.
Step 5: Training Evaluation
The final step is to evaluate the training by requesting all employees to complete a brief evaluation form. The feedback will provide ideas to further improve the quality of content and the program in general. It also is important to monitor the program to ensure that there is active participation in the training sessions by members of the workforce.
Within the scope of the training delivery there must be some type of assessment. This assists you in re-inforcing important training concepts and also determines if the topics are understood by the target audience. Typically, the assessment includes about 10 questions and takes a few minutes of the time scheduled for the training session.
For example, the assessment might ask:
Should you record all system and application-related passwords in a file on your computer, on a sticky note or on a note-pad kept on your desk?
- A. On a sticky note only, but kept under keyboard.
- B. On a file on the computer, hard disk only.
- C. Sticky note and file on computer.
- D. None of the above.
The answer is D.
The questions should be easy to understand and should communicate topics of importance to the organization. Do not hesitate to create a few assessment questions that directly relate to your organization’s security policies. It is important all employees be familiar with your security policies.
As we know, security is not a one-time event, but a continuous process—as is security awareness training. Security practitioners and managers must work together to create a culture of regular communication of security topics through different media. Examples include a monthly security reminder to all members of the workforce, security posters in common areas and at least one formal training each year. With this effort, you will increase security knowledge and awareness and minimize, to the extent possible, the opportunity for people to be the weakest link.
Uday O. Ali Pabrai, Security+, CISSP, CHSS, chief executive of ecfirst.com, consults in the areas of enterprise security and regulatory compliance, is author of the be