Security Awareness Training Best Practices
Security awareness training is overlooked in many organizations. According to a survey by Enterprise Management Associates, only 56 percent of employees receive awareness training.
Security awareness should be addressed year-round to make sure it remains top of mind for employees. Most security mistakes are made out of ignorance to the dangers of certain actions. In fact, 90 percent of all malware requires human interaction before it can infect its target.Who is in charge of security? Everyone.
Security awareness is typically a formal process of educating employees about corporate policies and procedures for working with information technology. However, security leaders can also employ less formal channels to remind employees of best practices. For example, Dennis Devlin, former CISO of Brandeis University in Massachusetts, includes security messages in his email signature. Not everyone has time at work to review materials, so new ways to get security awareness in front of employees are pivotal. Something as silly as putting signs up on the walls in the bathroom might actually be a good reminder, because employees are more than likely to see them.
After reminding employees of security awareness best practices, it is up to them to execute good habits. I will personally admit that I was guilty of letting the coffee guy in the side door at a previous job because he delivered every week, and I was convinced that the office would have fallen apart without coffee. However, after attending a security awareness training meeting, I realized this bad habit could lead to other bad habits and possibly allow a security breach. The proper procedure is to have a ‘Visitor Sign-In/Sign-Out’ process. Practices like this will keep employees on their toes and think twice about what to do in other situations.
According the PCI Security Standards Council, “Management leadership and support for the security awareness program is crucial to its successful adoption by staff.” Managers are encouraged to:
- Actively encourage personnel to participate and uphold the security awareness principles
- Model the appropriate security awareness approach to reinforce the learning obtained from the program
- Include security awareness metrics into management and staff performance reviews
There are many more habits that can lead to either success or failure of security awareness programs, but some as simple as these are a good starting point. The big takeaway is that habits drive security culture and there are no technologies that will ever make up for poor security culture. Much of security should be common sense, but you can’t have common sense without providing common knowledge.