While most organizations place a high focus on employing safeguards for their networks, technology is only one piece of the equation. Organizations must effectively educate employees to fend of attacks which target human vulnerabilities. Every company, regardless as to whether or not they operate in a regulated environment, should have an information security awareness program. Today companies of all sizes and industries are a target for social engineering attacks designed to prey upon employees to steal sensitive intelligence, healthcare information, and credit card data.
While many companies recognize the need for security awareness, they struggle with knowing where to start.
Here are a few suggestions to begin the journey of implementing effective security awareness training
Getting Started: Go Back to Basics
A mentor of mine gave me the following advice whenever I was creating a new program and didn’t know where to start. His advice to me was to “Go back to the basics.” In other words, break the program down to it’s most basic components. Answer common questions such as:
- What am I trying to accomplish
- Who is my audience
- What do I want them to learn?”
Once you identify and address the basics, everything else will fall into place and the program will begin to materialize.
Take it Easy on the Jargon
All too often training programs can get bogged down in the use of technical terms, acronyms and jargon. As a result, some of your audience is likely going to feel lost or left out. So, instead of a title like “Complex Password Construction Principles”, think of using titles like, “How to Make a Strong Password”. This makes it easy for individuals from different functional areas within the company to understand the concept. It also makes the training seem less intimidating for those that may work in non-technical roles within your company.
Make it Fun
Making information security awareness fun sounds like an oxymoron. But it can be done!
One of the ways to make it fun it to give the trainee(s) the capability of becoming an active participant in the program rather than having someone simply standing up in front of the room and deliver the materials out of a PowerPoint deck. You can do this in a few ways:
- Gamify your program by giving out small prizes to those that answer questions correctly.
- Ask the participants up in front of the group and have employees write out what they think is a strong password and then play off of that.
- Role play scenarios that resemble a social engineering attack and let the employees share their thoughts on how they would respond
There are tons of things you can do to make the session(s) entertaining, many times without spending all that much money.
Another reason to make it fun and participatory is that statistics have shown that when training is engaging it’s far more likely to be remembered. Remember, you want the staff to retain the important information security concepts to help you protect your organization.
Make it Relevant
To make the material even more “sticky” in respect to retention, you need to make the material relevant. In other words, if you are going to use a security breach that has been in the news, make sure that it’s recent and, if at all possible, chose one that has happened in your industry.
By doing so, you make the training more relevant to the employee and they see how they can contribute to keep your company safe from the type of attack that was successful at another organization.
The other part of making it relevant is ensuring that the topics you cover are important to your organization. As an example, the topic of a clean desk policy is something that applies to most organizations whereas the security of Linux workstations likely doesn’t.
Some examples of some generic topics that will apply to most organizations include, but are not limited to:
- Clean Desk Practices
- Developing Strong Passwords
- Detecting and Preventing Social Engineering
- Physical Security Issues
- Acceptable Use of Computer Systems
- Safe Web Browsing Habits
- Using Cloud Services Safely
- Social Media Dangers
Keep it Top of Mind
Three important words when it comes to constructing a good information security awareness program: Keep It Fresh!
To ensure that information security awareness remains top of mind you’ve got to make the material repeatable. However, that doesn’t mean that it has to be the same topic every time. Change it up monthly so that employees don’t say things like “Password security again!?”. It’s also important for you to make it repeatable since you’ll want to train your employees year round, not just at hire and then annually there after. By training every month you create a culture of security that protects the employee as well as the company.
So there you have it! Five easy ways to develop a security awareness program that is rich and and provides benefit not only to the employee but to the company as well.
For more information on how Digital Defense is helping organizations with industry recognized fun and entertaining training, click here to learn more.