Back

Creating Compelling Security Training and Awareness Programs

People in IT know the importance of security training If employees dont know how to avoid crucial mistakes the result could be an expensive breach...

5 min read
Published on Jan 21, 2019
creating-compelling-security-training-awareness-programs

People in IT know the importance of security training. If employees don’t know how to avoid crucial mistakes, the result could be an expensive breach. Knowing that training is important, though, isn’t enough. Too many programs do little or nothing to improve people’s security habits. Successful security training requires a clear purpose and effective techniques.

Know Your Goals

It’s common to talk about “security awareness and training,” but that conflates two different goals. Awareness is just the first step. It means knowing that there are problems to deal with, but not necessarily having the ability to deal with them. Employees need to know that spam, password theft, and malware pose serious risks. Awareness motivates training and keeps its results from going stale. But it isn’t a substitute for acquiring the necessary skills and habits.

NIST 800-16 describes awareness and training as a continuum. The training aims at “relevant and needed security skills and competencies”. In a short session, instilling some awareness may be the best you can hope for. If the aim is a serious reduction in incidents stemming from user error, you need to train people in some real security skills.

Making the aim as specific as possible lets you determine the kind of training which is needed. It might include one or more of these goals:

  • Protection of user accounts against hijacking.
  • Prevention of malware downloads resulting from a phishing email.
  • Compliance with regulations, contracts, and policies.
  • Protection of confidential personal information and business trade secrets.
  • Avoiding information leaks through insecure communication and data transfers.

When you have a list of goals, you can decide what changes in employee behavior will achieve them. That defines what the training needs to cover.

Know Your Audience

You know how important the technical details are. You’d love it if the employees understood them. But for the most part, they don’t care, and it would take too long to get them to understand. A “salted hash” is what they hope the cafeteria isn’t serving.

The narrative is what gets them interested. Start with stories that are exciting and frightening. Red Riding Hood would have been safer if she hadn’t told the wolf where she was going. The people in accounting will be safer if they don’t give information to spammers. That’s just awareness, perhaps, but it’s the awareness that will pull them in to learn more. They’ll want to know how to spot the big nose, big eyes, and especially the big teeth in time.

The story can start with a common mistake, such as logging in on a look-alike site. It doesn’t need a full explanation of how domain spoofing works, just a plausible example. From there it can go on to show how the bad guys gain a foothold in the network. The aim here should be to show a succession of consequences, not a detailed explanation. Think of the military’s “Loose Lips Sink Ships” training videos.

It doesn’t hurt if the villains are cartoonish and melodramatic. However, the person making the mistake shouldn’t look blatantly stupid. Doing that will just make people think, “Oh, I’d never do that.” The message should be that even smart people will make mistakes if they aren’t careful.

Recruit Your Champions

security training meeting in progress

Making a security training program work requires getting key people on your side. If employees are just yanked away from their desks for training and then go back to doing what they did before, it won’t have much of a long-term effect. Long-term improvements come from a change in the business’s culture.

Usually, the HR department is responsible for training programs, so working closely with them is valuable. Can they offer incentives for good work, and are there consequences for allowing data leaks? An ongoing awareness program will help to make the training stick.

The marketing department has the know-how to create an internal security campaign. Posters help people to keep security in mind. Having a “security awareness week” for the whole company doesn’t hurt. It has to be engaging and perhaps a little scary, but it must never be boring.

In the course of the training, you’ll find that some people really get it. Work with them so they can become security champions in their departments. They’re the key to building a security-oriented culture.

Carrots or Sticks?

The threat of punishment isn’t a very effective training method. It teaches people to cover up their mistakes and not get caught. They should be encouraged to report any slip-ups they think they’ve made so that IT can quickly check for problems.

Shaming is just as bad as punishment. It promotes resentment, not better security habits. This doesn’t mean people shouldn’t be taken off tasks when they show a lack of responsibility, but that’s a matter of the company protecting itself, not a way to teach better work habits. Short of serious matters, it’s more useful to point out issues quietly and encourage people to avoid future mistakes.

Even better is rewarding accomplishments. Gamification is a good way to motivate people. As a simple example, a password meter gives people a sense of gratification when they create a new password and see it go from “Weak” to “Super Strength” as they type.

Sample phishing emails help to test people’s habits. They should vary in what they test, with traps such as enabling macros on an unknown file, logging in to a spoofed site, or requesting confidential information by email. Those who get tricked need to get a reminder. Equally important, the ones who report the “scam” should get visible recognition. Departments can have contests for who has the lowest percentage falling for the trick. (Sorry, IT doesn’t get to play.)

Having the Best Training

However good your current security training methods are, there’s always room to make them better. AgileSecurity covers onboarding, reporting, training, and vulnerability testing. We offer education and workshops, or we can help you to set up the most effective security training program if you refer to run your own. To learn how we can help you to secure your business, schedule a call with a cloud advisor.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Screen Capture Protection in Windows 365

How to Enable Screen Capture Protection in Windows 365 for Enhanced Security

Learn how to enable and use screen capture protection in Windows 365 to secure sensitive information and prevent unauthorized captures, enhancing your organization's data security.

Jan 21, 2025
7 min read
Office 365 Collaboration Tools

Office 365 Collaboration Tools: Are They Right for Your Organization?

Explore how Office 365's collaboration tools can enhance your organization's productivity and security.

Jan 12, 2025
6 min read
NIST 800 171 vs NIST 800 53

NSA Cybersecurity Collaboration: No-Cost Services Available to DoD Contractors

Learn how NSA cybersecurity collaboration provides no-cost services to DoD contractors, helping enhance security and compliance with advanced cyber protections.

Jan 10, 2025
6 min read
When is a New CMMC Assessment Needed

Understanding When and Why You Need a New CMMC Assessment

Learn when to schedule a new CMMC assessment, what triggers reassessments, and how changes in scope, contracts, or compliance impact your certification process.

Jan 6, 2025
9 min read
How Does VDI Solve the CU./I and CMMC Conundrum?

How Does VDI Solve the CUI and CMMC Conundrum?

Explore how VDI for CUI helps businesses meet compliance requirements, ensuring secure data access while simplifying CMMC certification.

Dec 30, 2024
9 min read
Disaster Recovery Plan Enough

Is your disaster recovery plan enough?

Strengthen your Office 365 disaster recovery plan with granular backup, retention policies, and solutions to prevent data loss.

Dec 18, 2024
7 min read

Ready to Defend and Secure Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation