Employees are part of an organization’s attack surface, and ensuring they have the know-how to defend themselves and the organization against threats is a critical part of a healthy security program. If an organization needs to comply with different government and industry regulations, such as FISMA, PCI, HIPAA or Sarbanes-Oxley, it must provide security awareness training to employees to meet regulatory requirements.
Depending on the internal security resources and expertise available at an organization, it might make sense to bring in a third party to assist with security awareness training services. Regardless of whether outside assistance is leveraged, an organization’s leaders should understand what goes into building a security awareness training program, get involved, and offer feedback throughout the process.
Every organization will have a style of training that’s more compatible with its culture. There are many options, including:
In some cases, a combination of these may be the best option. Security awareness training is not a one-and-done exercise. Regular security training through multiple media is ideal, especially if the organization has high turnover rates.
An organization’s unique threat profile should also be factored in when deciding what subjects to cover. Possible topics may include but are not limited to:
Having a process in place to measure training effectiveness is essential. One way to do this is through a quiz. Quizzes should be issued before the training is deployed to get a baseline measurement and afterwards to see what has changed. If phishing exercises are conducted on a regular basis, organizations should keep track of whether employee response to these drills improves (or worsens!) after they’ve undergone security awareness training.
While it may be slightly less scientific, organizations can also try to determine the impact of training by looking for trends in the number and type of security incidents occurring over time as they add more employees and assets to their organization over time. It may also be interesting to have an individual walk around the office looking for exposed passwords, unlocked computers, and potential physical security risks a few times before and after training to determine whether behavior has changed.
Security may be a top priority for the security team, but other teams will have their own set of goals. Organizations should do their best to respect that time—ideally, training should be customized based on an employee’s role to ensure all of the training content is relevant to the individual and the work they do. This allows employees to focus on what matters and get back to work as quickly as possible. It also ensures that the riskier users at an organization, such as domain administrators, receive the right type of training that addresses risks and threats that are more relevant to the work they do.
When reviewing policies and best practices with employees, it’s important to always explain why each one is important. Users will be more likely to abide by policies if they understand the full context of them and believe it’s the right thing to do. For example, the risks of installing random software from the Internet become much more apparent to someone who sees how quickly a well-disguised piece of ransomware can encrypt all of the files on their workstation. Finally, organizations should avoid calling out individual employees or appear condescending if someone struggles with a training exercise. Instead, team leaders should focus on creating an environment where everyone is comfortable asking questions and reporting incidents.
At the end of training, users should leave feeling empowered to help protect the organization and excited to collaborate with other teams to create a more secure environment. Understanding your organization's unique needs and culture will be critical to making this training a success.