CIS Critical Security Control 17: Some Assembly Required for Your Security Awareness and Training Program

Last updated at Tue, 26 Dec 2023 18:50:06 GMT

This is a continuation of our CIS critical security controls blog series, which provides educational information on each control, as well as tips and tricks to consider. See why SANS listed Rapid7 as the top solution provider addressing the CIS top 20 controls.

Developing out a shiny new security program but neglecting to train your employees on it is like shipping out this year’s hottest new product but forgetting to stash the instruction manual in the box. While your users may have a basic understanding of antivirus and web filtering controls or even patches, they likely aren’t as aware of all the behind-the-scenes work you did to get the underlying programmatic elements of your security program in place.

The key principle behind Critical Control 17 is implementing a security awareness and training program that instructs employees on best practices, current defense strategies, and what is expected of them.

Baseline Security Awareness at Your Organization

Start by developing out materials that provide a basic overview of the expectations your business has for IT system usage. This can often be part of an acceptable use policy (AUP), but plenty of information security teams also create a document that lives outside of an AUP.

These rules are the starting point for your security awareness program. New hires should see and acknowledge them within their first week, and all employees should be reminded of them once a year. Requiring everyone to regularly sign off on the policy means no one can claim ignorance in the event of an incident.

Annual video trainings on broad, high-level security concepts are a good way to get new employees up-to-speed and reinforce your baseline rules. These should also be consistently updated so they’re always relevant.

Security Awareness Should Mature Over Time

With your baseline rules set, it’s time to start thinking about ongoing security awareness training that addresses new technologies, threats, and business requirements. As everyone knows, the security landscape is always changing, so it’s important to keep staff informed and up-to-date.

Consider offering short, quarterly video trainings (around 10–15 minutes in length) that touch on subjects such as:

• Social engineering attacks
  • Phishing
  • Phone calls
  • Impersonation calls
• Secure authentication methods
  • Strong passwords
  • Password management
  • Multi-Factor Authentication, if offered (hint, it should be)
• Sensitive data handling
• Mobile security
• Email security
• Web/internet security
• Device loss/theft procedures

It can sometimes take a few formats for your message to really stick. These are a few ideas for different ways to get people on board:

• Create posters (like this one) and place them around your office, in break rooms, and near copiers and printers.
• Develop a phishing awareness training program that includes simulated phishing campaigns targeted at your own employees. Keep statistics on what percentage of your workforce is susceptible to these emails, then require them to undergo additional training. You can also determine whether social engineering training is effective by tracking those click rates.
• Create and distribute quarterly information security newsletters.
• Recognize employees who go above and beyond to report potential incidents so people know they are an important aspect of your security program.

Zero In on Security Topics Relevant to Your Business

Beyond these common topics, you should also offer targeted trainings based on best practices your workforce has failed to adhere to throughout the year or the industry you work in. For instance, hospitals could enhance their HIPAA trainings to focus on security best practices, or retailers could delve into some PCI-DSS topics. Training can also be tailored to certain roles within your organization through special programs for your service desk, senior executives, and their administrative support staff.

Targeted trainings should be held on a quarterly basis and be mandatory—tracking participation will ensure no one falls through the cracks. Getting buy-in from senior management and HR will also help you take action if members of your workforce don’t complete the training.

Don’t Patronize, Empower

It’s important to avoid falling into the trap of considering your workforce to be a nuisance—or worse yet, people who couldn’t possibly understand what you do and try to undermine your efforts by acting, well, stupidly. What comes from this is a hostile relationship that can upend all the work you’ve put into securing your organization against threats.

Instead, empower your workforce. They are the frontline defenders of your organization and should be trained on how to identify and report the most common indicators of an incident.

For instance, imagine an employee realizes something isn’t quite right after he clicks on a malicious link from a phishing email. If he feels IT will respect him and reserve any judgement, your team could be alerted right away and begin triage activity. However, if he feels IT treats him poorly when he reports such issues, he may be less likely to reach out and instead put his head in the sand. This approach does nobody any good.

Additionally, make sure your workforce knows how to reach the IT and ITSEC teams. If you have a service desk, they should be included in the training as well.

Putting all of these elements in place takes time, but the work is well worth the effort. Security is everyone’s responsibility, and a fully engaged workforce will wind up simplifying the job of your information security team and make sure your program works.

Like what you see? Check out our next post in this series, “CIS Critical Security Control 18: Breaking Down the Control Chaos of Application Software Security.”