Information security awareness training can be best defined as training conducted in an organization so that the staff can understand the importance of security within an organization. Today environment, information threats can’t be left in the hand of the Information Security team as newer threats are arising from social engineering. An informed user community will ensure such threats are contained and the users are informed on what to do when an incident occurs.
Is it necessary to conduct user awareness training?
This is a question I was personally posed by a senior manager from a certain company. He didn’t understand why someone needed to tell people the “obvious”. In fact, he said why take busy employees of their desk while they can “google” the information. It was rather clear he didn’t understand how the training added value to his organization.
Training is one of the administrative measures taken to contain threats in an organization. Secondly, during the training the trainer inform users of the roles in securing the organizations information in its all formats. Lastly, informed users will aid the organization attain audit objectives of fulfillment of the security program.
Course Module
The information security course outline should be set up in such a way that it logically flows and users can connect to information shared with their daily tasks. There are several topics that can be discussed but it’s important to select topics that are relevant to the organization. Some of the topics that should never be left out include:
1. The Corporate Information Security Policy – I prefer referring it as Security Awareness 101.
Users need to be informed of content of the Information Security Policy. Remember the policy is a document that has been signed off by board of the organization and of which all employees are expected to abide to. Picking topics that are relevant to your user group in the policy and stressing areas where users could be relaxing is always a good approach.
The beauty of starting with Security Awareness 101 is that you set pace for the next topics to be discussed. It serves as a good introduction into the training.
2. Regulatory Compliance
Closely related to information security policy is what the law states. Government via their regulatory bodies sets some specific rules and regulations that must be adhered in order to ensure transparency, fair markets and clear ambiguity that could be created if there exists no regulations. The users undergoing the training need to know what the law states so that they can understand why they need to comply with some of the policies that the organization has set.
It’s necessary to mention the penalties that the organization stands to face if they don’t comply with the law. The law in most cases is usually has harsh penalties to encourage citizens to abide and when users get to know of the penalties they will more than willing to comply with set regulations.
3. Social Engineering
The essence of the awareness training is to enlighten users on what to look out that could lead to attacks by the wrong guys. Social engineering is a threat that is usually ignored and yet if exploited the consequences are catastrophic.
An awareness training that misses out on social engineering is useless as it’s the users who on a daily basis interact with IT resources. Measures may be put to contain intrusions but how do you guard against human weakness? Training, training and more training is the best solution to ensuring that the organization’s users are not hit by attacks from a social engineering perspective.
4. Current threats/attacks
It’s crucial to ensure that the user community is fully aware of the current threats and attacks with the best examples of case studies. Most users may not understand why IT security team keep insisting that they set complex passwords until the point you demonstrate via a case study on exploitation of weak passwords.
Insist on financial implications to the organization (especially if the CFO is your session ” this can lead to him/her approving budget for your projects). Management will be very concerned if they get to know that there is a chance of financial loss if policies are not adhered to. To the rest of the users let them know that their personal data could be exposed if they don’t adhere to set polices.
Information Security Incident Response Plan
User community needs to know how they are meant to respond when faced with an incident. In fact most users will in most cases inquire from their colleagues on action to take rather than inform the relevant authorities.
An incident response plan brings together the resources for dealing with any event that threatens the security of information assets. The aim is to quickly and efficiently respond to the incident, contain it and analysis the impact of the incident. The trainees should be informed of who is the “incident commander”, what information do they provide to the commander and other details required to control the situation.
Do employees need to sit in a class environment for information security awareness training?
Of course not. Most managers may be unwilling to let go their subordinates to go attend security awareness training. However, its worthy to note that class environment provides an atmosphere where trainees can engage the trainer with questions on areas they haven’t understood. As the trainer you require to be well prepared to tackle questions from the trainees.
There are several other means that could be used to create awareness;
– Use posters in common places. As it said a picture is worth a thousand words, so let your poster convey the message.
– Make use of internal resources available e.g. intranet, wallpapers etc. This works well as employees don’t have to move from their desks to learn.
– Plan for an information security awareness day with lots of exciting activities that will sensitize users on information security.
Tips for successful information security awareness training
Information security awareness training may fail to be effective due to the way they are conducted. The main goal of the training is to enlighten the user community but it’s important to note that not everyone may see the sense in the training. In most cases, users will just attend the training due to the fact it’s mandatory or their supervisor asked them to attend.
As the trainer always ensure that if you are conducting formalized class training the content is easy to understand and is interesting. Associate what you are training on with tasks that users do on a day-to-day basis. Crack a few jokes to make the session lively.
One of my best jokes for passwords but stresses the importance of proper care and handling of passwords has always been –
“Passwords are like underwear’s; you don’t leave them out where people can see them, you should change them regularly and you shouldn’t loan them out to strangers”.
Such a phrase will ensure the user community will safeguard their passwords at all costs.
As you conduct the training ensure that the trainees do a quiz which will help in;
i) Judging whether users understood the content shared.
ii) Based on the results you can focus on an area where you feel you need to stress in future sessions.
Remember to award your best performers as this will boost morale of the trainees to pay more attention to the content being shared.
After conducting security awareness training do assessments report to the management that indicates positive outcomes of the training. A comparison of reduced incidents or password reset after the training to before can portray the importance of the training. Basically, justify the need to carry out the training by informing the management of how the sessions are adding value to the business.