Does Your Company Have a Security Awareness Training Program?

Thursday, March 10, 2011

Allan Pratt, MBA


It would be great if companies included information security as a portion of their "new employee welcome orientation" sessions.

Best led by a member of the IT/InfoSecurity team, this InfoSecurity Awareness Training would be a great way to educate and empower employees to be safe computer users and simultaneously protect the company's data, network, and tech resources.

The training should focus on software security awareness, computer and network security awareness, and social media awareness (a discussion of the company's policy for access to social media during business hours as well as any other company policies about content - if access is allowed). Emphasis should be given to complex password/login creation, use of USB drives, virus attacks, and disaster recovery plans.

Other topics to discuss include good security practices, such as, make regular back-ups, encrypt sensitive data, turn off computers before leaving the office, carefully dispose of storage devices, don't install illegal copies of software or any other personal software on company computers or devices.

With today's on-the-go and work-from-home workforce, it is also worth discussing the importance of secure Wi-Fi – best not to just open a laptop anywhere. In addition, smartphones can be hacked. Create passwords for all portable devices including smartphones, laptops, eReaders, tablets, etc. And if a security breach happens, alert the appropriate IT/InfoSecurity team immediately.

The bottom line for IT professionals is to do your research. Before you start drafting a security awareness program, you need to know as much as possible about your technology environment.

Learn how your company obtains, uses, stores, and shares information – and also understand the dynamics of your company’s specific industry – because security measures will not be the same for a bank vs. a hospital vs. a restaurant vs. a construction company.

If an IT manager doesn’t understand how a company is using its systems, it’s impossible to determine accurate security levels. In addition, find out who has access to what information and why as well as who needs access to what information and why.

Review and cross-reference the two lists to determine if the names included are correct based on job functions and responsibilities. A great idea would be to engage leaders from throughout the company who represent different specialty areas so that they too can support the security awareness program.

For security awareness to be effective, it cannot be a single event. In today’s era of data breaches and malware attacks that appear much too often, companies must promote security awareness to all employees.

An effective addendum to a security awareness training program should be weekly email newsletters sent to employees with "quick tip" reminders. If such a program is implemented, companies should require employees to sign off on the key elements of the program, just as they do when they receive new employee manuals.

Companies need to be proactive in their security protection – and all employees must do their part – but they need a security awareness program with regular updates to accomplish this.

Possibly Related Articles:
Security Training
Security Awareness Best Practices Training Employees Information Security
Post Rating I Like this!
Katie Weaver-Johnson Great post Allan and good overview of the many elements of a comprehensive security awareness training program.

As you mentioned, security awareness training is not a one-size-fits-all. Organizations must customize their awareness training to fit their specific organization and the risks and challenges for their employees. Because threats, risks, and obligations are changing every day it is critical for an awareness program to be ongoing and include real-world examples and case studies to help employees (and third-parties) understand why organizational policies and procedures are in place.

We often say, wouldn't it be great if there was anti-virus software for people - they could just get updated each morning with new risks, threats, best practices, etc?
Allan Pratt, MBA Thanks, Katie, for your comments. Hopefully, more companies will understand that security awareness training cannot be a "one-size fits all" solution.
kapil assudani Awesome post Allan. This seems to be the most effective and simple technique to make employees security aware, its surprising that hardly any company has implemented this in their on-boarding process.
Allan Pratt, MBA Thanks Kapil!
Sherman Hand Great post. I think the thing that stops more Security programs is the lack of top down support. There will never be training for new hires or yearly training or anything else if the issue as not seen as important starting from the top with support from there.
Allan Pratt, MBA Sherman, totally agree - the success of a security program depends on the support it receives from top leadership.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.