Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Be Aware: 8 Tips for Security Awareness Training
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
TimKorry
TimKorry,
 User Rank: Apprentice
9/24/2020 | 6:17:23 AM
Great tips
Great tips. Thanks
anon7110993809
anon7110993809,
 User Rank: Apprentice
3/30/2015 | 6:52:17 PM
digital security training
All 8 of these tips are great for running a digital security training. As you say, having one giant meeting to cover everything is not the way to go at all. People will start to get bored, and no one remembers anything when they are bored. Break it up into a few smaller meetings stretching over a few weeks. That way people are more likely to remember what was taught in each meeting. 
jn94583
jn94583,
 User Rank: Strategist
10/8/2014 | 4:16:25 PM
Informal Power
I would posit that Security Awareness and Training programs are woefully undervalued. Not simply because "education is the only patch for human error", but because informal power is more effective than sanctions. 

Shaping the culture towards being more security concious is more effective than threatenting them with penalties. While people may take the tests and nod when you emphasize how importent security is, they ultimately have a job to do. They will tend to discount the tutelage if it interferes with what they need to do.

I agree, emphais on explaining the "why" is essential, however this does not guarantee compliance, which is ultimately an internal decision. It's a decision the person makes. If a corporate culture has been shaped to make security "normal" and expected, then compliance emerges from a good feeling rather than a fear.

It's much like the change in wording one might use in a Standard to reduce the natural resistance created by commands. Words like "must" are replaced by "do".

For example:

"All admins must report malware alerts" becomes "All admins report malware alerts" (the "do" is implied). This approach makes the requirement a statement of fact (it's how we do it here) rather than a prescriptive mandate...(of course it's how we do it here) :-)

 

  
Sara Peters
Sara Peters,
 User Rank: Author
10/6/2014 | 4:21:17 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@SecOps Specialist   WOW! Good for you. That's the first time I've heard someone say they quit their brand-new job because of bad information security. 

And you're right: it certainly varies from company to company. One of the best security awareness training experts I know is hilarious and comes up with all kinds of ways to get people engaged. One example I remember: He wanted to teach people about keeping clean desks -- making sure that when people walked away from their desks their cubicles weren't wallpapered with login data, their computer screens weren't unlocked, their desks weren't covered in confidential documents and/or portable storage devices full of confidential documents.  

So... he and a few members of his team dressed up like aliens! They wandered around the office, gathering up all the sensitive data they could just by wandering around. The idea being that even an alien with no prior knowledge of a company could be dropped in the office one day and walk away with everything they needed to know to breach the company. Whether or not it worked long-term, it certainly got the message across in an inventive way.
SecOpsSpecialist
SecOpsSpecialist,
 User Rank: Moderator
10/6/2014 | 3:48:43 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@Sara

That's a tough one really. It is truly dependent on the business and how vested they are in Security and making sure that their program is more than a checkbox. If a company is only caring about compliance, they will not, in general, have a developed security program. They will have policies, as you said, that every person has to read every year as a way to meet compliance. Very rarely do you see companies that have a large program regarding security.

The hope is that if the program as you said "should" be about improving security, but like I had said earlier, some businesses just do not have the resources to dedicate to something like that. As a prime example, I went to go work for this company, I quit after a week because of how lax their security was. Their idea of security was allowing anyone access to the network room where the servers and cabling was located, everyone knew the username and password of everyone in the building, including the administrators such as the network admin and the server admin. The list goes on. I couldn't handle it and I quit within my first week and sought out a different job.
Sara Peters
Sara Peters,
 User Rank: Author
10/6/2014 | 3:27:59 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@SecOps Specialist  Well it certainly SHOULD be about improving security, not about checking a box. I expect that most awareness programs simply give out policies, without properly explaining why such policies exist???
SecOpsSpecialist
SecOpsSpecialist,
 User Rank: Moderator
10/6/2014 | 12:31:50 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@Sara -

Often times the Security training, much like HR training, is treated like a checkbox because it needs to meet compliance standards. The difference between Security training and Security Awareness training is that Security training is designed to meet compliance standards like FERPA or HIPAA/HITECH. Security Awareness training is about bringing, well, awareness, to the forefront of everyone's mind. There's more to Security than just blocking bad websites and keeping the "bad guys" out.

If people don't know that links are harmful, a checkbox solution won't help them with that. If people don't know that Social Engineering is something that happens almost every day and they don't know what signs to look for, they are vulnerable to it. Same thing with Phishing, Vishing, or Whaling. It's all a matter of how important the company views security. Is it something that needs a checkbox, or it is about getting people to change their views and get better at locking their workstations?

 
Sara Peters
Sara Peters,
 User Rank: Author
10/6/2014 | 12:18:47 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@SecOps Specialist  I love this extra bit of advice you mention:  "Computer-Based Training is a great way to meet compliance, but don't stop there."  I think that of all the many things security professionals do, awareness training is the one most likely to be treated with a "checkbox-only" approach. What do you think?
SecOpsSpecialist
SecOpsSpecialist,
 User Rank: Moderator
9/30/2014 | 4:06:23 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@Marilyn - I'm not sure that is even effective still. In my experience, if a user knows something is coming, they are more likely to try to circumvent it than if they don't know it's coming. Truthfully, vulnerability testing done by outside vendors should not be announced because then the results are skewed and do not actually provide accurate data which can hurt the company overall. You can tell users til you're blue in the face that Security is important but until they fall victim to something, they will not change.
Stratustician
Stratustician,
 User Rank: Moderator
9/30/2014 | 2:14:33 PM
Re: Good, practical advice on security awareness training
Great points!  As part of the training for different audiences, it might make sense to look at different types of departments as they have different risks.  For example, marketing folks are known to use portable storage and cloud storage so they can work on files remotely.  Sales users risks come from how and where they access customer data.  Tailoring training to talk about these types of users specifically might get a better reposnse than the infamous "thou shalt be secure" corporate snooze sessions we've all sat through.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file