SECURITY AWARENESS PROGRAM EFFECTIVENESS & BEST PRACTICES

We are now entering into an era where information security has started to become as important as electricity in our homes. Most of us already have a digital presence either through social media or through a simple email address. We have started transforming our homes into smart homes, more and more devices are connected to the internet, the majority of us own at least one thing which is connected to the internet besides our mobile devices. The more we feel connected the more we get exposed to the world of the internet which makes us an easy target. This digital and IoT era has brought its own challenges, cyber-attacks are evolving in response to the evolving nature of technologies. Cyber adversaries are shifting their focus from organizations’ systems to organizations’ employees, from breaking down networks to stealing identities, from crashing operating systems to encrypting important data for ransom. An easy way to get into an enterprise network is through an unaware employee and it’s commonly said that an unaware employee is the organization’s greatest weakness. 

Adaption of an Information Security awareness program is one of several key principles of information security. The seriousness of a company towards security awareness can be analyzed through its annual budget. A significant amount, time, and effort should be invested in building a culture of security in modern, digitally dependent organizations. Rather than a one-time event, it should be an ongoing practice to equip employees with the knowledge they need to combat the ever-evolving attacks. WHY DO THESE PROGRAMS FAIL?

Not board-level Concern 
Just periodic reminders by emails
Too Many Technical Details
The content reflects policies and procedures

No defined penalties for violators
One way communication

  1. Security is not a board-level concern 
  1. Awareness is limited to periodic reminders by emails 
  1. Training content used in the awareness workshops is overloaded with technical details which can be perceived by most of the non-technical personnel as dry and difficult. 
  1. The content reflects the company’s policies and procedures that usually causes people to tune out. 
  1. One workshop in an employee lifetime covers most of  the security topics communicated uni-directionally  
  1. No penalties defined for violators 

BEST PRACTICES TO IMPROVE THE EFFICACY OF THE TRAINING & AWARENESS PROGRAM  

Break learning into smaller chunks of information  

Despite 1 hour of presentation to read out 50 slides to the audience and overwhelm them with plenty of information, the program should comprise of the frequent workshop with smaller chunks of easily learnable elements to make it more effective. 

Customized topics based on the role of the audiences 

It’s not one-size-fits-all, the training program should be tailored for each type of audience, taken into the consideration the level of their interaction with technologies, from executives, managers, technical staff to ground worker. For example, excessive use of technical terms to executives and ground workers may tune them out within the first 5 minutes of the session.  

Pre-Testing the Audience 

Pre-Testing can help the audience self-select into what level of information they still need while sparing them from redundancy and boredom with the topics they have already mastered.  

Topics should be sequenced based on their priorities 

The most significant risk and the greatest challenge the organization is currently facing in terms of information security should be discussed at the beginning of the session and others should follow the order based on their priorities. 

Relate to real-world examples close the audience interest.  

Training should contain scenarios that the audience can relate to and may have encountered in their workplace and home life to make the lessons real and not just a list of rules and policies with a long list of do’s and don’ts 

Use another means to deliver the message other than workshops and presentations: 

Gamification: Develop simple games covering information security topics with giveaways for winners. An appreciation email can also motivate employees to participate willingly in the next event.  

Constant Reminders: Popping Banners on the screen, desktop wallpapers, screen savers. The more it is on the face, the deeper impact it will leave on the mind of the people 

Messages outside the workspace: One-liner infographic posters in public areas such as restaurants, lifts, restrooms, lobbies, outside and inside the meeting rooms.  

Some did grab our attention like: 

•Your password is like your toothbrush, don’t share it. 

•Stop- Think- Connect 

•If you connect it, protect it 

•If in doubt, don’t give it out 

•Think before you click 

Staff Assessment: Assessing employee knowledge is a direct way to measure the effectiveness of the program. Arrange a short quiz with the questions from the topics covered in the program. Analyze the result and invite them again for another security session if the result doesn’t appear to be in your favor. 

Conduct Analysis on the following to measure the security awareness program effectiveness: 

•Reduction in the number of policy violations 

•Increase in incident reporting from employees 

•Increase in the number of staff passing the security assessment.  

•Increase of attendance in the workshops 

•Reduction in the incidents reported from various security monitoring tools. 

•Failure of the majority of the phishing attacks 

TOPICS TO COVER IN AWARENESS  

Some of the topics to be covered as part of the awareness program are listed below: 

•Phishing Attacks 

•Social Engineering 

•Internet Hygiene  

•Use of Social Media 

•Privacy vs Security  

•Use of Mobile Devices (Personal vs Company) 

•Insider Threat 

•Incident Reporting 

•Information Sharing Practice 

•Country Laws and Regulation  

•Use of Company’s Assets 

Security Awareness program without a doubt is a good way to change organization culture from “security is their responsibility” to “security is my responsibility”. An effective program can help minimize risk and enable people to make more informed decisions making the workplace safe and secure. 

Zahid Syed 

IT Architect / Security Officer 

Abu Dhabi ports 

Click to rate this post!
[Total: 0 Average: 0]

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *