Why are you conducting security awareness training? Are you doing it to fulfill the compliance obligations? Or, are you expecting that the training would educate employees, and help protect your organization from cyberattacks?
To develop an awareness training that works, you need to be clear about the goal of your training program. Without clear goals, you may end up with a program that’s either too short, else too boring. Or else, you may design content that leaves out the necessary, but keeps the irrelevant.
This is especially true for information security training. Even the most interactive programs can fail if it doesn’t foster good security practices.
Consider the following two security incidents from 2019.
- The live update tool of thousands of Asus computers was hacked by criminals; if the update had run, it could have exposed CC cleaner clients to malware.
What about your organization? Does it allow users to run updates on their computer? If not, are all users aware of this policy?
- Hackers stole the contact information of more than 110 million people through Mobile Apps. The Mobile App developers had unknowingly used a malicious software development kit in their Apps.
What checks do the App developers of your organization carry out when selecting a software development kit? Are all developers aware of your policies and procedures? Do they know how to find the documents listing secure coding practices?
Why is the goal of your security awareness training so important?
There’s always a security risk involved with people. Such risks can be mitigated only with good employee training. And the first step of designing good training is to define the goals that you want to achieve with your training program.
Ask yourself – What’s the purpose of this exercise? How could the training help achieve the objectives of information security?
What is the goal of information security awareness?
Security awareness training is designed with three security objectives in mind.
- Integrity, and
Any malicious attack on your organization would aim at manipulating these three elements. It would either, compromise the confidentiality of the information, else alter it, or else make the information inaccessible.
Every information security training is designed to achieve these objectives. Confidentiality deals with protecting information from being accessed by unauthorized persons; integrity refers to ensuring that the information is not altered, and availability is about keeping the information accessible.
Design your training with two goals in your mind. One, help them grasp the value of these objectives; and second, train them to assist with these objectives. Train them so they can identify security risks and report them. Let them know how a criminal can hack into their computer, and how they can respond to such malicious attacks.
Mitigate Internal Threats
Information security isn’t about stopping criminals from hacking into computers only. Even employees themselves can become a security risk. Unintentional disclosure of information by employees is very common. Incidents such as, disposing paper records without proper shredding, faxes sent to incorrect addresses, and accessing office networks using public Wi-Fi are some of the unsafe practices that lead to such disclosures.
Natural disasters, such as hurricanes and flooding too can compromise the security of information. They can compromise the integrity and availability of information. Even a disruptive power supply that crashes a computer is a security incident. You’d need to cover such natural disasters in your security training too.
But, these risks would not be the same for all employees. Risks for employees working at the front-desk would be different than the risk for an App developer.
It’s here that the process of setting up training goals should begin.
How to set up training goals
As the first step, approach your compliance officer, and ask for the risk analysis document of your company’s information system. You should also consult the security management plan for your organization. These two documents would help you figure out the major Information technology (IT) risks that you need to address in your training. They would also help you understand how your organization intends to address them. Understand the risks that involve employee actions, how secure behavior can negate the risk, and what behavioral gaps exist between secure and actual employee activities.
Most threat actors rely on this gap for hacking into corporate networks. Social Engineering attacks such as, phishing and spear-phishing exploit these gaps, and trap employees into revealing their login details. Criminals can go as far as breaking into an employee’s car, if they are sure that the person is not in the habit of password protecting sensitive files.
Attackers can disguise a malware attack as a humble request from the company CEO. Even the devastation that ransomware causes begins with an employee clicking on an unsolicited link.
You’d need to get a grasp of all such scenarios and understand the risks involved, so that you can figure out the goal of your security awareness training.
Complying with regulations
And lastly, look into the list of rules and regulations that your company needs to follow. Healthcare businesses have to follow the three HIPAA rules, while credit card companies have to comply with the PCI-DSS. These standards govern how your company uses customer information. They also establish the standards of the safeguards that your company needs to put in place to protect the information. Your training is a part of this compliance effort.
Selecting training courses
Once you have decided upon the goal of your training, you can move on to the design part. You may need to spread the entire program across many sessions, and you may have to cover various security topics in your sessions. Here are some important topics that you may have to cover in your security training.
- Using Internet safely
- Password protection
- Social engineering attacks
- How to protect against malware
- Using mobile devices at work
- Safe use of emails
- Phishing training
- Social media at work
- Working from out of office
- Access control and physical safety
The topics that you select should depend upon the goal of your training. Training for healthcare workers may need to concentrate upon IoT devices; while in your training for finance and billing workers, you may want to emphasize on password protection and phishing.
Setting up training goals for teams
You may also need to set up individual goals for various teams. Computer engineers may need a different program than the front-office staff. Your goal for access control training for the IT team may not be the same as the one for the janitorial staff. Similarly, while phishing may be an organization-wide threat, only the IT security team may need to know about ransomware.
You need to be clear about the goal of your security awareness training. Without a proper goal, even the most interactive programs can fail.
Consult your compliance officer
Before you start designing, go through the risk assessment and the security management plan of your organization. Understand the risks that threaten the confidentiality, integrity, and availability of information. And, look at the company’s IT policies and procedures.
Consult your compliance officer, and find out if there are any rules and regulations that you need to cover. Collect these inputs before you write your goals. And only when you have written the goals, should you proceed with the design part.
How did you decide upon the goal of your security awareness training? What security topics do you cover? Do share your views about information security training in the comments below.