A recent report from Ponemon Institute and Wombat Security Technologies found an alarming number of phishing attacks...
in enterprises. The report also found that after employees went through a security awareness training program, the number of phishing attacks significantly decreased. What types of information or advice would be effective in a security awareness training session? And what other threats besides phishing attacks should the training focus on?
Ignorance is not a control. As much as people may want to ignore security risks and vulnerabilities, they still exist. A security awareness training program is critical to ensure that employees at all skill levels understand basic security principles to minimize the risk of a breach, fraud or costly mistakes.
The report issued by the Ponemon Institute stated that employees going through a security awareness training program significantly reduces the number of security related incidents, such as phishing attacks.
An effective security awareness training program needs to be:
- Informational: Stress the basics, like password controls, phishing emails, suspicious websites and downloads, privacy, physical security and more.
- All-inclusive: All employees should go through and acknowledge in writing -- electronic or manual -- that they have undergone annual training and new employee orientation training on information security.
- Relevant: Show the significance of not complying with security. Emphasize the risks to the organization, personal identity theft, disciplinary action and possible termination.
- Fun: Use animated characters, puzzles, newsletters, contests for correct answers, free cybersecurity videos, cybersecurity posters and more.
- Attention-getting: Send fake phishing emails to employees and post results. After being a victim once, they will be much more vigilant going forward.
- Not overdone: Security awareness should be integrated in the business culture but with moderation. Schedule event weekly, monthly, quarterly and annual events but keep it light.
In addition to these qualities, ensure that management is familiar with and supportive of the security awareness training program. At least annually, have the CEO record a video or issue a communication for all employees where she stresses the importance of information security and the protection of critical information of its customers, stakeholders and employees. Lastly, make sure you have fun.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Discover how follow-on training can improve security awareness
Learn how user behavior analytics compares to security awareness training
Find out if a security pledge could replace awareness training programs
Dig Deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Mike O. Villegas
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading
Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading