Organizations spend thousands of dollars on security measures and staff to protect their information resources, but often neglect their first line of defense against cyberthreats — the user. Security depends on users, but security awareness training for them is often ignored or treated as a check box on a compliance list. Your employees need a basic training program. They want to do the right thing; they just need guidance. With a little forethought and a lot of ingenuity, you can deploy a security awareness program that will whip your users into frontline soldiers on the cyberbattlefield. Choose Your Cadence
The core of every awareness program is teaching users the value of information and access controls, and training them to recognize and report unusual activities. They don't have to become experts — if you can keep the training within the scope of their normal duties, it will be easier for them to swallow.
Companies often start with low-cost prepackaged or outsourced awareness programs rather than go through the pain and expense of making their own mistakes. Outsourced curricula, promotional material and reporting tools can provide a robust, mature awareness program without months (or even years) of research, design and fine-tuning. Although vendor offerings vary, there are certain features you should look for in any outsourced awareness program (see "Calling in Reinforce-ments," right). The SANS Institute is a good source for "off-the-shelf" user awareness training, providing both online and face-to-face instruction, completion tracking and some ongoing support materials. Symantec Education Services also provides a prefab awareness course, but the basic package includes only ready-to-print materials on CD; you'll need to provide your own instructors. If the shrink-wrapped approach won't work, develop your own awareness program and tailor it to meet your company's specific needs. For example, while all users should learn about good password selection, application developers need training on secure coding techniques, and the sales force should know how to protect its laptops and PDAs. Locally developed training makes it easier to integrate information about your company's security policies and procedures, but is also the most costly approach in terms of staffing, time and budget.
The hybrid approach to security training is customizing a third-party awareness package to fit your organization's needs. Most vendors offer customization support, including The Security Awareness Company, which will tailor its off-the-rack program and give your training a marketing make- over; and ReeseBrook, which offers regulatory compliance modules for HIPAA, GLBA, SOX and the Patriot Act.
Attention!
In the advertising world, the rule of thumb is that potential customers need to be exposed to your message at least three times before they'll even notice your product, and persuading them to act will require even more effort. Security awareness training is no different. Choose your messages carefully and drill the troops.
Try these proven methods: Create a brand. Put the full power of modern marketing to work for you. Create a logo and use it on all your awareness materials. Target messages to the user base that needs them most. Be creative, funny and concise. Get the message out. "Loose lips sink ships." Use posters and screen savers to communicate memorable messages or catchphrases. Rinse and repeat. The threat environment is changing rapidly, and training needs to be kept up to date. Revise your training program frequently, and require all users to complete it at least once a year to maintain their computer access and privileges. Write for newsletters. Take advantage of employee newsletters and staff-wide mailings. Keep your entries short and nontechnical; a well-chosen paragraph or two will inform users quickly and effectively. Create a security blog. The new wave of citizen journalism: Boil down the daily or weekly deluge of security information into a couple of pithy paragraphs, add your own commentary and post the results.
The most important lesson is to avoid information overload. Fight the urge to throw in heaps of overly specific guidelines; policies and procedures do need to be covered, but try to focus on the underlying concepts. For example, don't just tell your employees to keep their customer database passwords to themselves; teach what it could mean to them or to the company if the names, addresses and credit card information contained inside the database were stolen. Your users will make better decisions in otherwise unfamiliar situations, and will have a good foundation for the lessons that follow.
Try to abstract your core messages to a fairly high level, and then prioritize them. Start with two or three and publicize them heavily. For example, focus first on impressing on employees that the company — not them — owns the data and computing resources they use at work, and explain what constitutes good password management. Once these concepts have had a chance to sink in, cut back on their frequency and introduce the next few items on the list, maybe some tips for recognizing common social engineering scams or phishing techniques. Repeating the concepts will reinforce the message.
