Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to craft a security awareness programme that works

Thor Olavsrud | June 1, 2016
Organisations struggle with making security awareness training programs that work. One expert says that's because we treat security awareness training as an event rather than a continuous program of education that adapts to the risks employees face.

Employees are often considered the weakest link in organizations' efforts to create a strong security posture. Even organizations with security awareness programs in place struggle to instill strong security behaviors. Steve Conrad, managing director of MediaPro, a learning services company that specializes in information security, data privacy and compliance, says organizations can and should do better.

"Are we treating employees with the same seriousness as we are other threats to the organization? If you updated your firewall software and virus definitions once a year, people would say that you're negligent," Conrad says.

"It's time to really step up the human element," he adds. "Traditionally, CIOs and CISOs have looked at technology and processes. Now it's time to look at people. They're a very high threat to the organization, but we don't necessarily treat them like any other threat vector. Employees generally want to do the right thing."

Effective awareness training should be tailored for a variety of situations

Effective awareness training starts with a risk assessment, Conrad says. You need to understand what your most valuable assets are so you can better craft a plan to protect them.

"What are your risks? Align your training around those," Conrad says. "You shouldn't give the same training to everyone in your organization. Your executives need certain training that others in the organization may not."

Call center employees may need extra training around social engineering risks, while human resources employees may need particular training about handling personally identifiable information (PII).

Conrad notes that the National Institute of Standards and Technology (NIST) Cybersecurity Framework is an excellent foundational document with which to start the process.

Once you know what you need to protect and who needs special training to protect it, you need to craft a program of continuous education around it.

"You can't offer lackluster training for 30 minutes one a year and say it doesn't work," Conrad says. "Why would you expect it to work? You need foundational training, but the overall training program needs to be one of reinforcement. You need to look at it as an overall program, not an event."

User behavior analytics can play a key role in a continuous program that adapts to the risks that your employees face. These analytics can provide pop-up alerts when employees engage in certain activities.

"We see you're doing this, be aware that these are the best practices and what you need to watch out for," Conrad says.

"We call it 'just-in-time training' or 'performance-at-work training,'" he adds. "You're disclosing proprietary information to a partner, can I give you education and a checklist of what you should and shouldn't be sharing?"


1  2  Next Page 

Sign up for CIO Asia eNewsletters.