Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Majority Of Users Have Not Received Security Awareness Training, Study Says
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Bprince
100%
0%
Bprince,
User Rank: Ninja
4/17/2014 | 12:54:05 AM
Re: Security Awareness Training or lack of it
I find it hard to believe Johnrobie that security loses in a risk versus cost argument, but I suppose that given the survey's findings, it is entirely possible. Enterprises can design their own security awareness programs though so I would think that costs could be controlled. In the end, I think security awareness programs should just be another layer of layered security.

http://www.securingthehuman.org/resources/planning
Kwattman
50%
50%
Kwattman,
User Rank: Black Belt
4/14/2014 | 10:23:55 AM
Security awareness best practices
To add to prior conversation, these days, you need to have an employee security education and behavior management program in place which first establishes a baseline phish-prone percentage, then a thorough training program that covers the main attack vectors, and then a constant repetition that effectively influences the behavior of the employee at their place of work, which is right in their inbox they work out of every day.

The security awareness program administrator needs to think like a PR/Marketing manager. They need to promote the program, "sell" it to the whole organization, and make it as easy as possible to deploy the program with the minimum amount of disruption and loss of time.

The easiest way to do this is to send all employees regular simulated phishing attacks using various topics like banking, current events, IT, healthcare, social networking and more. If an employee clicks on a link, they get instant feedback they clicked on a phishing link. These clicks get tracked and reported to the program administrator.  the program administrator can then work with HR to get the employee better trained and if repeated over and over with no change, determine what kind of improvement process needs to take place in alignment with individual company policies. This makes it cooperative and not just an IT problem.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/14/2014 | 9:01:29 AM
Re: Security Awareness Training or lack of it
I really like your idea about making people more aware of their organizations' InfoSec services/solutions in order to help them make better decisions. As an end-user (not an InfoSec pro) I would greatly appreciate whatever assistance the security team can give me that shrinks my "know-do" gap. 
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
4/14/2014 | 8:45:53 AM
Re: Security Awareness Training or lack of it
You could tie this back to individual performance ratings but are able to 100% guarantee that every alert/event generated was intentional and that it was not a result of other factors (ex. malware propogation)?

Could we say that the completion of scheduled awareness training, on whatever frequency, should be mandatory to remain employed?  In that context, most organizations have established this requirement for employee acceptance of the business conduct policies so the addition of security awareness training under this same requirement makes sense.  While there are security topics that must be covered throughout an organization, there might be different levels to this training depending on role or job functions.  Keep it simply and short by making security topics relevant, direct, and in practical (non-technical) language.

Aside from the scheduled awareness training, we have to look for ways to improve the marketting of our InfoSec services/solutions so that our employees are better equipped to make educated decisions and reduce the "know-do" gap.  This strategy can be used to fill the time between schedule training and further educate employees on new and/or existing security best practices, indiustry happenings, or at-home advice.  With employees becoming much more mobile, it would be better to avoid generating "security reports" and focus more on using other means of communication such as informational posters on bulletin boards, rotational advertisements on internal displays, or even online forums to collaborate.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/11/2014 | 1:06:44 PM
Re: Security Awareness Training or lack of it
@JasonSachowski, you hit the nail on the head with your point about making user awareness personal and relevant to people's jobs. But how do you do that? Tie it to job performance? 
JasonSachowski
100%
0%
JasonSachowski,
User Rank: Author
4/11/2014 | 12:47:48 PM
Re: Security Awareness Training or lack of it
Not only should we conduct security awareness using industry best practices but to expand on @Kwattman comments below, we have to make it more personal and relevant to their jobs/lives to make it truly effective.  There is most likely a percentage of every organization's workforce that does not truely understand what services/solutions are offered through their InfoSec teams that they can use to stay secure or even how they as an employee contribute to the overall security posture of their organization.
Kwattman
50%
50%
Kwattman,
User Rank: Black Belt
4/11/2014 | 11:44:09 AM
Re: Security Awareness Training or lack of it
KnowBe4's Kevin Mitnick Security Awareness Training, Wombat, PhishMe are some of the top programs. Gartner is doing an MQ on the field this fall as the need has grown so much and will publish around October. 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
4/11/2014 | 11:36:16 AM
Re: Security Awareness Training or lack of it
True statement, once a year is not sufficient. Do you have examples of other programs?
Kwattman
50%
50%
Kwattman,
User Rank: Black Belt
4/11/2014 | 11:32:18 AM
Re: Security Awareness Training or lack of it
Part of the problem is the 1x a year ineffective training gives security awareness a bad name. Users need behavior training that is closely tied with their work flow so they can get used to proper behavior. You have to tie it to something that makes sense to the user for it to be remembered easily. And do it repeatedly. That way it becomes instictive and when the user is rushed or behind in his/her work, they will still take the time to think about what they are doing. But they have to notice - and the only way to get that to happen is to bring awareness up and make it personal. There are some great programs that do this.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/10/2014 | 12:23:11 PM
Re: Security Awareness Training or lack of it
I'm curious to know whether those who received training believed that it was worthwhile. And if not, what they thiink would be more effective. 
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-46547
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x2c17e. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46548
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via add_lineno_map_item at src/mjs_bcode.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46549
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via parse_cval_type at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46550
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via free_json_frame at src/mjs_json.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46553
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_set_internal at src/mjs_object.c. This vulnerability can lead to a Denial of Service (DoS).