Printer Friendly Version

Security awareness and training are perhaps the most overlooked parts of your security management program. Why is security awareness and training so important and what constitutes a security awareness and training program?

Your Best Security Stewards Are Your Employees

Security awareness and training should be an integral part of your corporate security program. Though many businesses overlook the opportunity to tell their employees how to assist with protecting the corporate infrastructure, security awareness and training is really the first line of defense your company has to protect its valuable corporate assets. Your employees are the stewards of your critical data and information assets, and with the proper training corporations can enlist the assistance of their employees to mitigate risks.

While most employees are likely conscientious, and do their best to perform their duties as expected, your typical information technology employee is a busy person. There are often far more tasks to get through than there is time in a typical day. If the executive management team doesn't make it a priority to emphasize security awareness and training, it's likely employees won't pay it much attention. However, if your organization institutes even a simple program on a consistent, say quarterly, basis the heightened security awareness may save your valuable assets from an expensive and high impact disaster.

If you are a U.S. federal agency, instituting a security awareness and training program is required by the Federal Information Security Management Act (FISMA) of 2002. While many U.S. federal agencies continue to receive denigrating press about the state of their information security abilities, when it comes to security awareness and training, most U.S. federal agencies are ahead of their U.S. corporate counterparts.

Phases of Your Security Awareness & Training Program

The National Institute of Standards and Technology (NIST) has defined¹ four critical steps that a security awareness and training program should include:

1. Design and planning of awareness and training program
2. Development of your awareness and training materials
3. Implementation of your awareness and training program
4. Measuring effectiveness and updating your program

Goals and Focus of Security Awareness and Training

The goal of your security awareness and training program should be to protect the confidentiality, integrity, and availability of your IT assets and data. When businesses design their security awareness and training program, they need to tell their employees how they expect them to behave in regards to security.

There are likely endless mechanisms that can be put into place to safeguard information, and your security awareness and training program should take into consideration that there are, and should be, practical limitations as to which safeguards you implement, and how much of your employees' time you take up educating them about security processes. Therefore, your security awareness and training program needs to be astutely focused.

The goal is to get the biggest return on security for the time you take up instructing your employees on their security roles and responsibilities. In order to obtain this big return on security, you should plan your program to focus on the big ticket items — the areas that could potentially mitigate the highest impact, and the most likely, risks.

Delivering the Security Message

Your security awareness and training program can be delivered on hardcopy memos, posters, classes, or through online initiatives. Most organizations today are choosing to deliver their security awareness and training program over their Web-based intranet. Some businesses put short courses online and instruct their employees to log in and take them. This is a great way to deploy employee security awareness and training because it creates a record and audit trail that confirm that the employee at least read through their responsibilities. Some courses include short quizzes that test basic security knowledge, in order to find out if the employees understand the training.

The Awareness and Training Message

There are key items you'll want to include in your security awareness and training program. Advise your employees of the 10 most important security policies and tell them where they can find an online copy of the complete set of security policies.

Be sure to bring awareness to social engineering and explain to your employees not to give out their passwords out to anyone who calls them on the phone, since the caller could be a hacker posing a peer, the corporate help desk, or someone else with some legitimacy.

Be sure to tell your employees how to update their anti-virus software, and how often you expect them to do this. Keeping desktops up to date with the latest anti-virus signatures is one of the best ways to protect your corporate infrastructure. Employees should also be educated about the dangers of opening up attachments. While not all viruses are distributed as e-mail attachments, a great many are, and attachments are a particularly noteworthy virus distribution mechanism that you'll want to bring to their attention.

Employees need to understand what constitutes a safe password and a poor password. Some less technical employees may not realize how easy it is for hackers to perform dictionary attacks on passwords unless you tell them. Good passwords are always mixed characters and numbers and are not made up of real words. If you routinely scan your directory servers for poor passwords, you may want to advise your employees that passwords are routinely scanned for non-compliance.

In the event that an employee suspects a virus or an Internet-based attack, do they know who to report this to? Who do you want them to call? You need to tell them, and you also need to ensure that the person they call will understand how to properly handle the call.

Expectations for laptop security should also be conveyed in a security awareness and training program. Do you allow employees to use their laptop for personal use? Is it a requirement that they not leave their laptop unattended while on business travel? Specifics for laptops should be clearly conveyed else your employees will design their own rules for laptop security.

Are employees required to have a personal firewall installed on their desktop or laptop? If this is the case, businesses need to specifically make this known to their employees. Employees need to know who is supposed to install the firewall, and how they can obtain firewall support. If they are expected to install the firewall themselves, where can they find the instructions for how to do that?

Do you want your employees to install their own security patches on their desktops and laptops? Or does your infrastructure support team do this, or has this been automated? No matter how it happens, you need to explain this to your employees. If they are expected to patch their own systems, are you going to supply known good patches to them? Have you tested the patches? Where do they obtain the patches? If the security support team is patching their systems automatically, you need to explain this to them so that they don't go out and obtain these patches cavalierly over the Internet and try installing them on their own.

Update and Continue Your Security Awareness and Training Program

If you are a big organization, chances are you have many new employees coming on board all the time. Therefore, you need to institute your security awareness and training program on a regular basis. Security is an on-going process. It is not a one-shot deal. The way you keep your organization and assets secure is through continual awareness. You want to keep the security momentum going, and before long, ambitious and creative employees will offer suggestions on how you can improve and update your security awareness and training program.

If you implement your security awareness and training program on a regular basis and tweak it each time to make it more effective and more current, you will greatly reduce the possibility of adverse risk exposure. Whether your business is privately owned, or publicly held, someone owns the assets. Your employees are being paid to take care of and manage those assets, and doing so without protecting them at the same time is irresponsible. Most employees will respect the fact that you want them to help do their part to secure the assets.

A Word to the Wise

Security awareness and training is well worth the time and money it takes to plan and implement the program. IT assets are valuable, and if damaged it could have a serious impact on your revenue, customer loyalty, and may even create liabilities for class-action lawsuits. While a security awareness and training program is no guarantee that your organization will not get attacked by cyber miscreants, it will surely decrease the impact an attack will have, and the management team will be able to rest assured knowing that they at least made an attempt to institute awareness and training of the policies, procedures, and processes.

¹ NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program, by Mark Wilson and Joan Hash, National Institute of Standards and Technology, Oct. 2003.