I am a shameless promoter of information security awareness and training (A&T).
If I could get people to take three or four minutes of training on information security every week, I would do it.
I want everyone to be able to detect phishing emails and fake text messages quickly and easily.
I hear some of you groan in frustration and say, “Why bother? It doesn’t work!”
I strongly disagree.
I don’t agree that end users are the “problem,” that they can’t learn how to protect themselves and their data.
I see end users as normal human beings who want to do the right thing, to do their jobs and not make mistakes. In the same vein, the bad guys out there are working very hard at their job to trick our users, our friends, and our family.
The bad guys spend hours and hours learning what people will click on in an e-mail, identifying the exact words that trigger the urge to help out and click the link in that malicious e-mail. Or call that fake 800 number to fix a problem. Or quickly answer a request from the president or CFO or CIO.
Without a doubt, the potential consequences of that click, call, or answer are exactly why information and security awareness belongs on your list of infosec priorities.
Read more: Essential security practices to protect your business
Absolutely everyone in your company or organization needs regular A&T. From the CEO and CFO, the CIO to the admin at the front desk, everyone, all the way down the line. A&T that starts at the top is the most effective. If the CEO believes that A&T is valuable and worth doing, then the program will be significantly more effective.
First, it’s both awareness and training. If you make your users aware of the risks, the threats that are out there, and why they need to be on guard or on alert, then the training will be more effective. At the same time, you don’t want to go down the FUD route (fear, uncertainty, and doubt). Be honest with your users and let them know that they are targets.
There are criminal organizations that do nothing but gain access to companies and organizations. These organizations are called access brokers. They are the groups that send out a blizzard of e-mails aimed at stealing credentials. These access brokers then sell that access to the ransomware groups who do the damage and encrypt or steal the data and demand the ransom. The threats to you and your company or organization are real, and they are persistent, and they evolve.
Second, be aware that people retain information and learn new skills differently, so your training will need to be adaptive. Some people like written instructions with short quizzes at the end to test what they learned. Some people like roleplay training or training wrapped in a short video (either animated or live action). Some like classroom-based training where they sit down—with others—and hear someone talk about a security topic (think brown bag sessions). They want to be with others in order to learn the material. The good thing is you have options for providing training for your users.
All year long, not just once a year. People need regular awareness and training just like computers need monthly patching.
Training—like patching—should happen monthly, or even weekly, to get the best bang for your buck. We live in a complex world with active threats that continue to evolve. Your training has to be frequent and needs to evolve as the threats evolve.
Those of us in information security preach the gospel of monthly vulnerability scanning and monthly patching. But often, we don’t preach quite so much about monthly awareness and training.
A&T helps, and I know that firsthand, as a preacher of the Gospel of Training, chapter 1, verse 1: “Train your users regularly.”
As for where to do the training, do it wherever people will take it. . You might do monthly lunch–and-learns, either face to face or online or computer-based training that is designed for mobile devices or PCs. We are far enough into this decade that you can find companies that offer computer-based training or other kinds of training that will fit your budget and needs.
Besides potentially decreasing the number of incidents that your company or organization experiences in a given year, a good information security awareness and training program can:
What’s more, what you spend on a good A&T program can be offset when you factor in the benefit of recovering from fewer incidents and lower cyber insurance premiums. It is money well spent. What do you do for ISAT? Please feel free to e-mail me with comments or questions.
Read more from John Bruggeman:
Why test patches before deploying to production?
Cloud security controls that help mitigate risk
Cyber Insurance, part 1: What is Cyber Insurance and do I need it?
Cyber Insurance, part 2: Getting ready for the insurance company questionnaire
Cyber Insurance, part 3: Filling out the questionnaire
Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?