What does a security awareness training program need to include?
An effective security awareness training program can make a significant difference in enterprises security. Expert Mike O. Villegas discusses what makes a good program.
A recent report from Ponemon Institute and Wombat Security Technologies found an alarming number of phishing attacks...
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
in enterprises. The report also found that after employees went through a security awareness training program, the number of phishing attacks significantly decreased. What types of information or advice would be effective in a security awareness training session? And what other threats besides phishing attacks should the training focus on?
Ignorance is not a control. As much as people may want to ignore security risks and vulnerabilities, they still exist. A security awareness training program is critical to ensure that employees at all skill levels understand basic security principles to minimize the risk of a breach, fraud or costly mistakes.
The report issued by the Ponemon Institute stated that employees going through a security awareness training program significantly reduces the number of security related incidents, such as phishing attacks.
An effective security awareness training program needs to be:
- Informational: Stress the basics, like password controls, phishing emails, suspicious websites and downloads, privacy, physical security and more.
- All-inclusive: All employees should go through and acknowledge in writing -- electronic or manual -- that they have undergone annual training and new employee orientation training on information security.
- Relevant: Show the significance of not complying with security. Emphasize the risks to the organization, personal identity theft, disciplinary action and possible termination.
- Fun: Use animated characters, puzzles, newsletters, contests for correct answers, free cybersecurity videos, cybersecurity posters and more.
- Attention-getting: Send fake phishing emails to employees and post results. After being a victim once, they will be much more vigilant going forward.
- Not overdone: Security awareness should be integrated in the business culture but with moderation. Schedule event weekly, monthly, quarterly and annual events but keep it light.
In addition to these qualities, ensure that management is familiar with and supportive of the security awareness training program. At least annually, have the CEO record a video or issue a communication for all employees where she stresses the importance of information security and the protection of critical information of its customers, stakeholders and employees. Lastly, make sure you have fun.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Dig Deeper on Security Awareness Training and Internal Threats-Information
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.
Meet all of our Information Security experts
In order to obtain the maximum "buy"-in" from the trainees, the training course should also appeal to the "What's In It for Me" motivation and includes elements of enhancing the participants personal security posture.
Including information on home computer security and protecting personal information will help to make the user safer at home, consequently safer at work.