Employees are part of an organization’s attack surface, and ensuring they have the know-how to defend themselves and the organization against threats is a critical part of a healthy security program. If an organization needs to comply with different government and industry regulations, such as FISMA, PCI, HIPAA or Sarbanes-Oxley, it must provide security awareness training to employees to meet regulatory requirements.
Depending on the internal security resources and expertise available at an organization, it might make sense to bring in a third party to assist with security awareness training services. Regardless of whether outside assistance is leveraged, an organization’s leaders should understand what goes into building a security awareness training program, get involved, and offer feedback throughout the process.
Types of Training
Every organization will have a style of training that’s more compatible with its culture. There are many options, including:
- Classroom training: This allows instructors to see whether learners are engaged throughout the process and adjust accordingly. It also allows participants to ask questions in real time.
- Online training: This scales much better than in-person training, and it will likely be less disruptive to employee productivity since learners can work through the content from any location at their own convenience. This can also allow learners to work through the material at their own pace.
- Visual aids: Posters in the break room cannot be a lone source of security awareness training, but when done effectively, they can serve as helpful reminders.
- Phishing campaigns: Nothing captures an learner’s attention quite like the realization that they’ve fallen for a phish. Of course, learners who fail the phishing test should be automatically enrolled in further training.
In some cases, a combination of these may be the best option. Security awareness training is not a one-and-done exercise. Regular security training through multiple media is ideal, especially if the organization has high turnover rates.
Subjects to Cover
An organization’s unique threat profile should also be factored in when deciding what subjects to cover. Possible topics may include but are not limited to:
- Phishing: Employees should be educated on how to spot and report phishing and the dangers of interacting with suspicious links or entering credentials on a spoofed page. Phishing extends beyond the traditional Nigerian prince email scam. Overviews should cover spear phishing, suspicious phone calls, contact from suspicious social media accounts, etc. Examples of phishing attempts that have affected other similar organizations will also be helpful here.
- Physical security: Physical security requirements can vary on an organization’s nature. Since businesses should already have a physical security policy in place, this is a great opportunity to make sure employees understand the parts of the policy that apply to them, such as locking desk drawers and rules about allowing guests into the office. Training should also review how to report physical security risks, such as someone in the building who isn’t wearing a guest badge or sensitive data that is left exposed.
- Desktop security: Outline the potential consequences of failing to lock or shut off computers at appropriate times and plugging unauthorized devices into workstations.
- Wireless networks: Explain the nature of wireless networks and outline the risks of connecting to unfamiliar ones.
- Password security: Complex password requirements and prompting employees to change their passwords on a regular basis should already be enforced, but password security training is still important to explain the risks involved in reusing passwords, using easy-to-guess passwords, and failing to change default passwords immediately. Authorized password management tools may also be covered
- Malware: A training session on malware should define the types of malware and explain what they are capable of. Users can learn how to spot malware and what to do if they suspect their device has been infected.