Published: 28 Jul 2005
Policy & Process
Whip your users into shape with security awareness training.
|Outsourcing: Calling in Reinforcements|
If you're ready to tackle the awareness challenge but lack the necessary resources, consider outsourcing. Turnkey awareness programs are available from a number of vendors, both large and small. Ask these important questions.
Will training be in a classroom or online? If you have specialized needs, classroom training could be more effective, but this costs a lot of money and doesn't scale well to a large user base. Web-based training is convenient for the user and is an easy medium for comprehension quizzes.
How will completion rates be tracked? Virtually every vendor has integrated tracking into their programs with regular reports (usually monthly) or online tools to do your own ad hoc queries. You'll eventually want to automate the process of disabling accounts with expired security training, so make sure the vendor will support you in this.
What ongoing support is offered? Most vendors offer tools to support your day-to-day awareness strategy, including posters, screen savers, word search puzzles and interactive quizzes. These things should be fun and interesting; nothing does more to kill your security culture than dull promotions.
Are customization services available? Before you shop around for an awareness training vendor, make a list of the items that need to be covered. Some companies will be happy to tailor their existing programs to include your own security policies, regulatory needs or training on specialized computer systems. This will cost extra, but it may be cheaper than doing it in-house.
What metrics are provided? Proper metrics demand integration with your organization's IT and management processes. Find out up front if your preferred provider will work with you to develop effective metrics.
How much will it cost? When weighing the costs, consider not only what you're getting for the money, but also how much it would cost you to do it yourself. You may find the price more attractive than you thought, especially if you project it out over the next few years. Outsourcing is typically considered less expensive.
— David Bianco
Organizations spend thousands of dollars on security measures and staff to protect their information resources, but often neglect their first line of defense against cyberthreats — the user. Security depends on users, but security awareness training for them is often ignored or treated as a check box on a compliance list. Your employees need a basic training program. They want to do the right thing; they just need guidance. With a little forethought and a lot of ingenuity, you can deploy a security awareness program that will whip your users into frontline soldiers on the cyberbattlefield. Choose Your Cadence
The core of every awareness program is teaching users the value of information and access controls, and training them to recognize and report unusual activities. They don't have to become experts — if you can keep the training within the scope of their normal duties, it will be easier for them to swallow.
Companies often start with low-cost prepackaged or outsourced awareness programs rather than go through the pain and expense of making their own mistakes. Outsourced curricula, promotional material and reporting tools can provide a robust, mature awareness program without months (or even years) of research, design and fine-tuning. Although vendor offerings vary, there are certain features you should look for in any outsourced awareness program (see "Calling in Reinforce-ments," right). The SANS Institute is a good source for "off-the-shelf" user awareness training, providing both online and face-to-face instruction, completion tracking and some ongoing support materials. Symantec Education Services also provides a prefab awareness course, but the basic package includes only ready-to-print materials on CD; you'll need to provide your own instructors. If the shrink-wrapped approach won't work, develop your own awareness program and tailor it to meet your company's specific needs. For example, while all users should learn about good password selection, application developers need training on secure coding techniques, and the sales force should know how to protect its laptops and PDAs. Locally developed training makes it easier to integrate information about your company's security policies and procedures, but is also the most costly approach in terms of staffing, time and budget.
The hybrid approach to security training is customizing a third-party awareness package to fit your organization's needs. Most vendors offer customization support, including The Security Awareness Company, which will tailor its off-the-rack program and give your training a marketing make- over; and ReeseBrook, which offers regulatory compliance modules for HIPAA, GLBA, SOX and the Patriot Act.
In the advertising world, the rule of thumb is that potential customers need to be exposed to your message at least three times before they'll even notice your product, and persuading them to act will require even more effort. Security awareness training is no different. Choose your messages carefully and drill the troops.
Try these proven methods: Create a brand. Put the full power of modern marketing to work for you. Create a logo and use it on all your awareness materials. Target messages to the user base that needs them most. Be creative, funny and concise. Get the message out. "Loose lips sink ships." Use posters and screen savers to communicate memorable messages or catchphrases. Rinse and repeat. The threat environment is changing rapidly, and training needs to be kept up to date. Revise your training program frequently, and require all users to complete it at least once a year to maintain their computer access and privileges. Write for newsletters. Take advantage of employee newsletters and staff-wide mailings. Keep your entries short and nontechnical; a well-chosen paragraph or two will inform users quickly and effectively. Create a security blog. The new wave of citizen journalism: Boil down the daily or weekly deluge of security information into a couple of pithy paragraphs, add your own commentary and post the results.
The most important lesson is to avoid information overload. Fight the urge to throw in heaps of overly specific guidelines; policies and procedures do need to be covered, but try to focus on the underlying concepts. For example, don't just tell your employees to keep their customer database passwords to themselves; teach what it could mean to them or to the company if the names, addresses and credit card information contained inside the database were stolen. Your users will make better decisions in otherwise unfamiliar situations, and will have a good foundation for the lessons that follow.
Try to abstract your core messages to a fairly high level, and then prioritize them. Start with two or three and publicize them heavily. For example, focus first on impressing on employees that the company — not them — owns the data and computing resources they use at work, and explain what constitutes good password management. Once these concepts have had a chance to sink in, cut back on their frequency and introduce the next few items on the list, maybe some tips for recognizing common social engineering scams or phishing techniques. Repeating the concepts will reinforce the message.
|Creating a Security Culture|
Awareness is all about continued exposure. Al Decker and Rebecca Whitener from the IT services firm EDS have compiled the following list of methods for working security into your employees' everyday lives:
Now that you've put your users through security boot camp, how can you measure the effectiveness of their training? Measurements are indicators that your users are paying attention: How many are accessing the security awareness Web site or clicking on the e-mail link to download the monthly newsletter? Whether you're using a prepackaged metrics program or designing your own, choose your yardsticks to assess their effectiveness before you start.
More direct measurements typically start with the number of users who have taken the security awareness training, and the average score on the end-of-class test and ongoing training exams. The real metric though, is how training is impacting security; the number of monthly help desk calls is a good indicator. But, don't be fooled — having more calls is a good sign: It means your users are being more vigilant about security and are using their training in everyday practices. The cost of the help desk calls will be offset by flagging issues early, before they impact your bottom line.
Use your tools: If you have a good software inventory tool, track the number of workstations that has unapproved software installed. By reinforcing with awareness training the nature of this threat, the number of noncompliant desktops will decrease dramatically. Once you have selected your metrics, implement them as soon as possible, even before your awareness program kicks off. Measuring your program's effectiveness requires that you know the previous state of awareness in your organization. By establishing a baseline for the metrics you want to measure, you'll have the data necessary to get a true picture of how well things are going right from the start. Battle Ready
Awareness programs are long-term security strategies. The most effective thing you can do to help your program succeed is to work within your existing corporate culture to change it from the inside. Choose the training delivery methods and marketing campaigns that complement the way your employees live their daily corporate lives, or they'll reject your lessons out of hand. Similarly, don't try to teach too much at once. Through careful planning of your training strategy and by choosing metrics that integrate well with your existing processes, you can ensure that your organization — and your users — are ready for the battle ahead.