This article can also be found in the Premium Editorial Download "Information Security magazine: Betting the house on network anomaly detection systems."
Download it now to read this article plus other related content.
Whip your users into shape with security awareness training.
|Calling in Reinforcements|
If you're ready to tackle the awareness challenge but lack the necessary resources, consider outsourcing. Turnkey awareness programs are available from a number of vendors, both large and small. Ask these important questions.
Will training be in a classroom or online? If you have specialized needs, classroom training could be more effective, but this costs a lot of money and doesn't scale well to a large user base. Web-based training is convenient for the user and is an easy medium for comprehension quizzes.
How will completion rates be tracked? Virtually every vendor has integrated tracking into their programs with regular reports (usually monthly) or online tools to do your own ad hoc queries. You'll eventually want to automate the process of disabling accounts with expired security training, so make sure the vendor will support you in this.
What ongoing support is offered? Most vendors offer tools to support your day-to-day awareness strategy, including posters, screen savers, word search puzzles and interactive quizzes. These things should be fun and interesting; nothing does more to kill your security culture than dull promotions.
Are customization services available? Before you shop around for an awareness training vendor, make a list of the items that need to be covered. Some companies will be happy to tailor their existing programs to include your own security policies, regulatory needs or training on specialized computer systems. This will cost extra, but it may be cheaper than doing it in-house.
What metrics are provided? Proper metrics demand integration with your organization's IT and management processes. Find out up front if your preferred provider will work with you to develop effective metrics.
How much will it cost? When weighing the costs, consider not only what you're getting for the money, but also how much it would cost you to do it yourself. You may find the price more attractive than you thought, especially if you project it out over the next few years. Outsourcing is typically considered less expensive.
— David Bianco
Organizations spend thousands of dollars on security measures and staff to protect their information resources, but often neglect their first line of defense against cyberthreats — the user. Security depends on users, but security awareness training for them is often ignored or treated as a check box on a compliance list. Your employees need a basic training program. They want to do the right thing; they just need guidance. With a little forethought and a lot of ingenuity, you can deploy a security awareness program that will whip your users into frontline soldiers on the cyberbattlefield. Choose Your Cadence
The core of every awareness program is teaching users the value of information and access controls, and training them to recognize and report unusual activities. They don't have to become experts — if you can keep the training within the scope of their normal duties, it will be easier for them to swallow.
Companies often start with low-cost prepackaged or outsourced awareness programs rather than go through the pain and expense of making their own mistakes. Outsourced curricula, promotional material and reporting tools can provide a robust, mature awareness program without months (or even years) of research, design and fine-tuning. Although vendor offerings vary, there are certain features you should look for in any outsourced awareness program (see "Calling in Reinforce-ments," right). The SANS Institute is a good source for "off-the-shelf" user awareness training, providing both online and face-to-face instruction, completion tracking and some ongoing support materials. Symantec Education Services also provides a prefab awareness course, but the basic package includes only ready-to-print materials on CD; you'll need to provide your own instructors. If the shrink-wrapped approach won't work, develop your own awareness program and tailor it to meet your company's specific needs. For example, while all users should learn about good password selection, application developers need training on secure coding techniques, and the sales force should know how to protect its laptops and PDAs. Locally developed training makes it easier to integrate information about your company's security policies and procedures, but is also the most costly approach in terms of staffing, time and budget.
The hybrid approach to security training is customizing a third-party awareness package to fit your organization's needs. Most vendors offer customization support, including The Security Awareness Company, which will tailor its off-the-rack program and give your training a marketing make- over; and ReeseBrook, which offers regulatory compliance modules for HIPAA, GLBA, SOX and the Patriot Act.
In the advertising world, the rule of thumb is that potential customers need to be exposed to your message at least three times before they'll even notice your product, and persuading them to act will require even more effort. Security awareness training is no different. Choose your messages carefully and drill the troops.
Try these proven methods: Create a brand. Put the full power of modern marketing to work for you. Create a logo and use it on all your awareness materials. Target messages to the user base that needs them most. Be creative, funny and concise. Get the message out. "Loose lips sink ships." Use posters and screen savers to communicate memorable messages or catchphrases. Rinse and repeat. The threat environment is changing rapidly, and training needs to be kept up to date. Revise your training program frequently, and require all users to complete it at least once a year to maintain their computer access and privileges. Write for newsletters. Take advantage of employee newsletters and staff-wide mailings. Keep your entries short and nontechnical; a well-chosen paragraph or two will inform users quickly and effectively. Create a security blog. The new wave of citizen journalism: Boil down the daily or weekly deluge of security information into a couple of pithy paragraphs, add your own commentary and post the results.
The most important lesson is to avoid information overload. Fight the urge to throw in heaps of overly specific guidelines; policies and procedures do need to be covered, but try to focus on the underlying concepts. For example, don't just tell your employees to keep their customer database passwords to themselves; teach what it could mean to them or to the company if the names, addresses and credit card information contained inside the database were stolen. Your users will make better decisions in otherwise unfamiliar situations, and will have a good foundation for the lessons that follow.
Try to abstract your core messages to a fairly high level, and then prioritize them. Start with two or three and publicize them heavily. For example, focus first on impressing on employees that the company — not them — owns the data and computing resources they use at work, and explain what constitutes good password management. Once these concepts have had a chance to sink in, cut back on their frequency and introduce the next few items on the list, maybe some tips for recognizing common social engineering scams or phishing techniques. Repeating the concepts will reinforce the message.
This was first published in July 2005