SECURITY AWARENESS PROGRAM EFFECTIVENESS & BEST PRACTICES
We are now entering into an era where information security has started to become as important as electricity in our homes. Most of us already have a digital presence either through social media or through a simple email address. We have started transforming our homes into smart homes, more and more devices are connected to the internet, the majority of us own at least one thing which is connected to the internet besides our mobile devices. The more we feel connected the more we get exposed to the world of the internet which makes us an easy target. This digital and IoT era has brought its own challenges, cyber-attacks are evolving in response to the evolving nature of technologies. Cyber adversaries are shifting their focus from organizations’ systems to organizations’ employees, from breaking down networks to stealing identities, from crashing operating systems to encrypting important data for ransom. An easy way to get into an enterprise network is through an unaware employee and it’s commonly said that an unaware employee is the organization’s greatest weakness.
Adaption of an Information Security awareness program is one of several key principles of information security. The seriousness of a company towards security awareness can be analyzed through its annual budget. A significant amount, time, and effort should be invested in building a culture of security in modern, digitally dependent organizations. Rather than a one-time event, it should be an ongoing practice to equip employees with the knowledge they need to combat the ever-evolving attacks. WHY DO THESE PROGRAMS FAIL?
- Security is not a board-level concern
- Awareness is limited to periodic reminders by emails
- Training content used in the awareness workshops is overloaded with technical details which can be perceived by most of the non-technical personnel as dry and difficult.
- The content reflects the company’s policies and procedures that usually causes people to tune out.
- One workshop in an employee lifetime covers most of the security topics communicated uni-directionally
- No penalties defined for violators
BEST PRACTICES TO IMPROVE THE EFFICACY OF THE TRAINING & AWARENESS PROGRAM
Break learning into smaller chunks of information
Despite 1 hour of presentation to read out 50 slides to the audience and overwhelm them with plenty of information, the program should comprise of the frequent workshop with smaller chunks of easily learnable elements to make it more effective.
Customized topics based on the role of the audiences
It’s not one-size-fits-all, the training program should be tailored for each type of audience, taken into the consideration the level of their interaction with technologies, from executives, managers, technical staff to ground worker. For example, excessive use of technical terms to executives and ground workers may tune them out within the first 5 minutes of the session.
Pre-Testing the Audience
Pre-Testing can help the audience self-select into what level of information they still need while sparing them from redundancy and boredom with the topics they have already mastered.
Topics should be sequenced based on their priorities
The most significant risk and the greatest challenge the organization is currently facing in terms of information security should be discussed at the beginning of the session and others should follow the order based on their priorities.
Relate to real-world examples close the audience interest.
Training should contain scenarios that the audience can relate to and may have encountered in their workplace and home life to make the lessons real and not just a list of rules and policies with a long list of do’s and don’ts
Use another means to deliver the message other than workshops and presentations:
Gamification: Develop simple games covering information security topics with giveaways for winners. An appreciation email can also motivate employees to participate willingly in the next event.
Constant Reminders: Popping Banners on the screen, desktop wallpapers, screen savers. The more it is on the face, the deeper impact it will leave on the mind of the people
Messages outside the workspace: One-liner infographic posters in public areas such as restaurants, lifts, restrooms, lobbies, outside and inside the meeting rooms.
Some did grab our attention like:
•Your password is like your toothbrush, don’t share it.
•Stop- Think- Connect
•If you connect it, protect it
•If in doubt, don’t give it out
•Think before you click
Staff Assessment: Assessing employee knowledge is a direct way to measure the effectiveness of the program. Arrange a short quiz with the questions from the topics covered in the program. Analyze the result and invite them again for another security session if the result doesn’t appear to be in your favor.
Conduct Analysis on the following to measure the security awareness program effectiveness:
•Reduction in the number of policy violations
•Increase in incident reporting from employees
•Increase in the number of staff passing the security assessment.
•Increase of attendance in the workshops
•Reduction in the incidents reported from various security monitoring tools.
•Failure of the majority of the phishing attacks
TOPICS TO COVER IN AWARENESS
Some of the topics to be covered as part of the awareness program are listed below:
•Phishing Attacks
•Social Engineering
•Internet Hygiene
•Use of Social Media
•Privacy vs Security
•Use of Mobile Devices (Personal vs Company)
•Insider Threat
•Incident Reporting
•Information Sharing Practice
•Country Laws and Regulation
•Use of Company’s Assets
Security Awareness program without a doubt is a good way to change organization culture from “security is their responsibility” to “security is my responsibility”. An effective program can help minimize risk and enable people to make more informed decisions making the workplace safe and secure.
Zahid Syed
IT Architect / Security Officer
Abu Dhabi ports
Amazing read. Very informative and providing practical points to implement.