Creating A Security Awareness Training Program
Does your organization take security seriously? Do your users know how to fend off social engineering attacks? Do your organization's portable devices have data encryption enabled? If you answered "no" or "I don't know" to any of these questions, then your organization is not providing good security awareness training.
Wikipedia defines security awareness as the knowledge and attitude that members of an organization possess regarding the protection of both the physical and information assets of the organization. In a nutshell, loose lips sink ships. That's really of what security awareness is all about.
If you are responsible for the information assets of your organization then you should develop and implement a security awareness training program. The goal should be to make your employees conscious of the fact that there are bad people out in the world that want to steal information and damage organizational resources.
Let's look at some tips for creating an effective security awareness training program:
Educate Users on the Types of Real-world Threats They May Encounter
Security awareness training should include educating users on security concepts such as recognizing social engineering attacks, malware attacks, phishing tactics, and other types of threats that they are likely to encounter.
Teach the Art of Password Construction
While many of us know how to create a strong password, there are still many people out there that don't realize how easy it is to crack a weak password. Explain the process of password cracking and how offline cracking tools work. They may not understand all the technical specifics, but they will at least see how easy it is to crack a poorly constructed password and this might inspire them to be a little more creative when it's time for them to make a new password.
Focus on Information Protection
Many companies tell their employees to avoid discussing company business while they are out at lunch because you never know who might be listening, but they don't always tell them to watch what they say on social media sites. A simple Facebook status update about how mad you are that the product you're working on won't be released on time could be useful to a competitor who might see your status post, should your privacy settings be too permissive. Teach your employees that loose tweets and status updates also sink ships.
Rival companies may troll social media looking for employees of their competition to gain the upper hand on product intelligence and who's working on what.
Social media is still a relatively new frontier in the business world and many security managers are having a hard time dealing with it. The days of just blocking it at the company firewall are over. Social Media is now an integral part of many companies business models. Educate users on what they should and shouldn't post on Facebook, Twitter, LinkedIn, and other social media sites.
Back Up Your Rules With Potential Consequences
Security policies without teeth aren't worth anything to your organization. Get management buy-in and create clear consequences for user actions or inaction. Users need to know that they have to protect information that is in their possession and do their best to keep it safe from harm.
Make them aware that there are both civil and criminal consequences for divulging sensitive and/or proprietary information, tampering with company resources and other insecure behaviour.
Don't Reinvent the Wheel
You don't have to start from scratch. The National Institute of Standards and Technology (NIST) has written a book on how to develop a security awareness training program, and best of all, it's free to download. NIST's Special Publication - Building an Information Technology Security Awareness and Training Program is hepful in learning to learn how to make your own.
Stacie Orlandi is a professional essay writer for reddit.
You Might Also Read:
Writing An Effective Cybersecurity Policy: 5 Essential Steps:
