by Perry Lynch
3:20 min read | Audio
Security Awareness Training is one of the most cost-effective ways to improve your organization’s overall security posture. Most breaches are at least partly due to human error, and while nothing can be done to completely eliminate errors, a good training program will reduce greatly the potential for security-related mistakes. CIS Control #17 covers the basics of a reliable program and what a good one should do.
The starting point is a skills gap analysis. What skills does each person need to stay clear of dangers, and where do they fall short? Everyone needs to understand the basic points such as setting strong passwords and being wary of spam. People with access to sensitive systems need to be and stay aware of subtler points--such as personally targeted phishing and inappropriate information sharing.
Security programs need to identify and focus on the areas of greatest risk. This applies as much to training as to network configuration or software updates. In this case, focused training is crucial to strengthen areas where technical solutions alone are not enough.
Anyone with access to a network can make a mistake and create problems. So along with training, additional technical measures need to be implemented. The organization should follow the recommendations of Control #14 and only grant users limited access to those rights required to perform their jobs. Those with higher levels of access need to be especially alert.
Any training program needs to produce measurable results; otherwise there's no way to measure a program’s effectiveness. There should be a focus on specific goals and closing the skills gap. Training should target the most serious risks associated with each individual's role. One example--people with root access should learn how to protect those credentials and to minimize their use of root accounts.
Security awareness is the understanding of methods which would-be intruders use to deceive people. These techniques keep changing, so users need periodic updates. All employees should study security awareness materials, and management needs to confirm this is accomplished. Senior management has to be included in the training. They continue to be the favored targets of personalized deceptions because they are more likely to have access to sensitive information as well as financial accounts.
Regulatory changes, such as GDPR, may require a new set of priorities. Changes in the information an organization handles may shift the greatest areas of risk. Any awareness training program needs to be able to adapt to properly communicate the risks involved.
Mentoring by more experienced users is often an effective approach. They know better than anyone else where the risks are, and hopefully they have good rapport with the people they're training.
Social engineering exercises should be conducted periodically to assess the current level of users’ awareness, reinforce recent training activities, and to make sure people don't fall back into carelessness.
The most important consideration of security awareness training isn't that people give the right answers on a quiz--the goal is to help them instill habits that prevent errors and do the right things in practice consistently.
An ongoing program
The most effective awareness programs include routinely-communicated messages from the security team. A regular cycle of policy reminders, educational messages, risk warnings, and messages about current security news will easily keep your staff more involved and alert to potential threats.
You can ensure that users are paying attention by including occasional security advice that can assist them personally, and by occasionally naming the front-line heroes--those who have first recognized a security threat and promptly reported it to the help desk and/or security team.
With ongoing security education, people will learn to avoid the mistakes that can lead to disaster. People will always make some mistakes, but ingrained security habits will prevent the most common and most serious ones.