Security awareness training is part of life in the connected world of the 21st century. Integrating security awareness training with your company’s policies and culture is the only way to make sure it works well for your needs.
What is security awareness training?
Security awareness training is nothing more than teaching staffers what to look for and what to do to avoid being hacked or “phished”, such as clicking a link that will steal data or get their password.
The ROI of security awareness training is huge since average cost of a large scale breach is $3.86 million, according to IBM’s latest Cost of a Data Breach Study.
What is “agile” security awareness training?
Your security awareness training should be able to adapt not only to your company’s needs but also to the changes in security threats. Every day, hackers are looking for new ways to get into your system. Your policies need to adapt to that and be ready for everything.
In 2001, a group of software developers got together in Utah and decided that they needed to create a set of principles that would govern how software was being developed. They saw that software was big and clunky. It was being designed in a way that made it difficult to update and improve. And it was being created in a way that made cool-looking software that was actually a nightmare for users. They issued the Manifesto for Agile Software Development. (http://agilemanifesto.org/)
“We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value:
- Individuals and interactions over processes and tools
- Working software over comprehensive documentation
- Customer collaboration over contract negotiation
- Responding to change over following a plan
That is, while there is value in the items on the right, we value the items on the left more.”
Making your security awareness training agile
Taking the principles of the Manifesto, we can see a clear path to creating an agile security awareness training program.
Individuals and interactions
over processes and tools
Security awareness training is all about individuals and interactions. It’s a person’s interaction with an email or website that causes 90% of security breaches. Think of this training as an individual experience, you can frame information so that it can save your staff, not just at work, but at home, too.
over comprehensive documentation
This is a warning against spending a lot of time on reports and data instead of spending it on actually doing. With security awareness training, this refers to how you handle an incident. Spend almost no time blaming the person who created the breach and spend more time using it as a teaching moment.
over contract negotiation
This training is not about sitting in a room and talking at people. It’s a training that requires interaction and buy-in from the participants. While the contract negotiation concept might seem out of place, it is a contract. The contract is that you and your staff will protect the customers’ and the company's’ assets.
Responding to change
over following a plan
Cybersecurity is changing. This is not a static situation. Bad guys are always looking for new ways to get to your and your clients’ information. It needs to be clear to your staff that this is an ongoing situation. Your team should be prepared to learn constantly and adapt.
Making Cybersecurity Awareness Part of your Policies
Company policies must be an honest reflection of how people use electronic devices and how cybersecurity is changing.
If you’re looking for a tone to follow, look at Dell’s Global Social Media Policy.
Here’s an example:
Make sure you're engaging in social media conversations the right way. If you aren't an authority on a subject, send someone to the expert rather than responding yourself. Don't speak on behalf of Dell if you aren't giving an official Dell response and be sure your audience knows the difference.”
Dell recognizes that its staff will use social media, so they provide guidelines that are as simple as “Be Nice, Have Fun, and Connect.”
Start your security awareness training with a simple idea: people will use your network in ways that “they shouldn’t.” This means they will check their personal email whether or not you try to outlaw it. They will look at social media whether or not you tell them they can.
The most effective way to start your plan is with a statement similar to this:
“Hackers and thieves will try to steal our information. You will want to use your smartphone, look at your email, and check Facebook. While we want you to keep it to a minimum (after all, you’re not being paid to chat on Twitter), it’s even more important that you do it safely.”
Then you can talk about what to click and not to click. Require that every phone connected to your wifi network has antivirus protection (preferably paid for by the company so you can guarantee that it’s up to date).
You will also want to have a conversation with your staff about the fact their personal email and internet searches can infect the network, even from their phone or laptop. Although rare, there will come a time when viruses and malware will get through Apple watches and other connected devices.
Another important thing to discuss with staff is how to respond to ransomware. Establish a procedure for handling ransomware and make sure that everyone in the company knows what to do, even those who aren’t often near computers.
Every company has to have policies and procedures in place, but those policies need to be flexible and honest about how people use the internet and their personal devices.
Agile security awareness is at the heart of survival in the 21st century.
The threats will change, the technology will change, and the weakest link in your security wall is people. Make your policies flexible enough so that they can adapt as well. Provide simple and effective security awareness training to make them your strongest line of defence.