The purpose of the risk assessment is to figure out how vulnerable systems are to fraud. Begin by determining a baseline relative to current activities, so that new processes and procedures can be put in place to more effectively deal with fraud.
Training employees in the middle of the assessment runs the risk of compromising the data gathered during the risk assessment. There will be plenty of time for training later, but during the assessment is the time to uncover and categorize those risks, so the organization can determine what needs to be done most urgently.
To be clear, fraud training is absolutely critical to fraud reduction efforts, but after the assessment is complete. When that time comes, focus on helping employees understand both what is considered private data and intellectual property (presumably the data that needs protection), as well as recognize typical attacks (mostly social engineering and other fraud attacks).
A helpful site to look at when starting a training program is PhishMe.com. This site automates the sending of phishing emails to employees and tracks whether they fall for the ruse. It can also test employees over time to see if educational and training efforts had a positive effect on their ability to deal with the fraud.
Dig Deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Mike Rothman
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
While liaison officer responsibilities vary depending on the company they work for, their strong organizational and communications skills make them ... Continue Reading
The CISSP certification can be a challenge to obtain. Mike Rothman unveils how to get on the right education and career tracks in order to get CISSP ... Continue Reading