The third blog in our series as part of National Cybersecurity Awareness Month (NCSAM) focuses on the theme of workforce education and training, and awareness. Today we’re going to look at the people dimension of the people, process, and technology triad. Security professionals often complain that people are the weakest link of the three, but I prefer to characterize them as the “least predictable.”
One way organizations can address the people dimension to improve risk management and reduce the impact of cyber attacks is to have a formal cyber security training and awareness program. If you don’t have a program yet, we’ll start off with the basics, and ramp up the fun from there.
The Basics: Setting Up a Plan
Unless you’re running an Amish furniture shop, you and your staff are likely using computers and the Internet as part of your everyday life you need to train your employees on cyber safety on a regular basis as corporate policies shift, technology evolves, and the threat landscape changes.
If you don’t have a cyber security awareness program or you plan to update your current program, the goal should be to train or refresh your workforce on at least an annual basis. The annual training should cover key topics like online safety, data security and classification, removeable media (USBs, removable hard drives), two-factor authentication, mobile device management, social media safety, and acceptable use of computer assets. Additionally, you’ll want to content on how to avoid common threats like phishing attacks, social engineering, and ransomware.
Some of this information may need to be tailored for your business needs. For example, your data classification standards will likely be unique to your organization. Moreover, your Acceptable Use Policy (AUP) can vary depending on your organization and industry. The most important items you cover should focus on what you expect from your employees from a security standpoint.
Most of this material can be found in eLearning courses and videos offered by a variety of cyber security training companies. If you don’t have the budget for online courses or high-end custom videos, you could start with something as modest as a slide deck or find any number of free online security courses. They don’t have to have Hollywood production values or be narrated by Samuel L. Jackson to be effective training.
However you choose to offer training, you’ll also need some form of attestation. This can be an actual test with written questions and answers that employees submit, a form that employees sign to state that they completed training, or a simple attendance sheet. Your training manager or human resources department should keep these annual training records for compliance purposes.
The items mentioned in “The Basics” section are the bare minimum. If you’re done with vanilla and want to move on to Rocky Road or Choco-zilla Marshmallow Mega Blast Swirl, then buckle up, because here we go.
How to Advance-ify Your Program
A more robust awareness and training program needs to go a bit further. If you have an incident response plan, your employees should know how to report a cyber security incident and what is expected of them in the case of suspicious or malicious events. While you have their attention, review some advanced threat scenarios that have happened to other companies in your industry or that have made national news. How was that company compromised? What was the human component? How could training have mitigated that risk?
If your security team has done any penetration testing or malware analysis, can you share those results with your employees on the most common threats to your organization or what steps you’re taking to improve security? Finally, provide them with practical steps and rationale as to how they can increase their cyber safety at home as well as in the workplace.
To further cement learning, consider adding a game or incentive element to your cyber security awareness program. If you’ve got a crowd, consider getting some $5 to $15 gift cards and offer them to whoever gets the most correct answers on their test, or who does NOT click on the test phishing email. You could even break up staff into teams and test their knowledge at a “Cyber Bowl” to make it more entertaining and add an element of fun and competition.
If you have a smaller budget, consider something as simple as handing out candy for correct “pop quiz” answers, or if you have a virtual team, sending the winners some company swag like t-shirts or hats.
There are a plethora of interesting and entertaining videos out that together could aptly be titled, “This Person Clearly did NOT Pay Attention During Training.” Showing examples of what can happen when security protocols are not followed can provide a moment of levity along with a teaching moment. Follow that laughter (or embarrassment) with a short discussion on the negative impacts to the individual and impacts to the company.
The goal with security awareness training is to drive a cultural change in your organization. Cultural changes are the hardest to bring about as they take time. Through repetition and changing norms, cyber security can become second hand and you’ll be well on your way to solidifying all three legs of your cyber security triad.
From seminars to hands on labs, Delta Risk offers customized training to help you meet growing cyber security requirements. Find out more now.