Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Be Aware: 8 Tips for Security Awareness Training
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
TimKorry
50%
50%
TimKorry,
User Rank: Apprentice
9/24/2020 | 6:17:23 AM
Great tips
Great tips. Thanks
anon7110993809
50%
50%
anon7110993809,
User Rank: Apprentice
3/30/2015 | 6:52:17 PM
digital security training
All 8 of these tips are great for running a digital security training. As you say, having one giant meeting to cover everything is not the way to go at all. People will start to get bored, and no one remembers anything when they are bored. Break it up into a few smaller meetings stretching over a few weeks. That way people are more likely to remember what was taught in each meeting. 
jn94583
50%
50%
jn94583,
User Rank: Strategist
10/8/2014 | 4:16:25 PM
Informal Power
I would posit that Security Awareness and Training programs are woefully undervalued. Not simply because "education is the only patch for human error", but because informal power is more effective than sanctions. 

Shaping the culture towards being more security concious is more effective than threatenting them with penalties. While people may take the tests and nod when you emphasize how importent security is, they ultimately have a job to do. They will tend to discount the tutelage if it interferes with what they need to do.

I agree, emphais on explaining the "why" is essential, however this does not guarantee compliance, which is ultimately an internal decision. It's a decision the person makes. If a corporate culture has been shaped to make security "normal" and expected, then compliance emerges from a good feeling rather than a fear.

It's much like the change in wording one might use in a Standard to reduce the natural resistance created by commands. Words like "must" are replaced by "do".

For example:

"All admins must report malware alerts" becomes "All admins report malware alerts" (the "do" is implied). This approach makes the requirement a statement of fact (it's how we do it here) rather than a prescriptive mandate...(of course it's how we do it here) :-)

 

  
Sara Peters
100%
0%
Sara Peters,
User Rank: Author
10/6/2014 | 4:21:17 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@SecOps Specialist   WOW! Good for you. That's the first time I've heard someone say they quit their brand-new job because of bad information security. 

And you're right: it certainly varies from company to company. One of the best security awareness training experts I know is hilarious and comes up with all kinds of ways to get people engaged. One example I remember: He wanted to teach people about keeping clean desks -- making sure that when people walked away from their desks their cubicles weren't wallpapered with login data, their computer screens weren't unlocked, their desks weren't covered in confidential documents and/or portable storage devices full of confidential documents.  

So... he and a few members of his team dressed up like aliens! They wandered around the office, gathering up all the sensitive data they could just by wandering around. The idea being that even an alien with no prior knowledge of a company could be dropped in the office one day and walk away with everything they needed to know to breach the company. Whether or not it worked long-term, it certainly got the message across in an inventive way.
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
10/6/2014 | 3:48:43 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@Sara

That's a tough one really. It is truly dependent on the business and how vested they are in Security and making sure that their program is more than a checkbox. If a company is only caring about compliance, they will not, in general, have a developed security program. They will have policies, as you said, that every person has to read every year as a way to meet compliance. Very rarely do you see companies that have a large program regarding security.

The hope is that if the program as you said "should" be about improving security, but like I had said earlier, some businesses just do not have the resources to dedicate to something like that. As a prime example, I went to go work for this company, I quit after a week because of how lax their security was. Their idea of security was allowing anyone access to the network room where the servers and cabling was located, everyone knew the username and password of everyone in the building, including the administrators such as the network admin and the server admin. The list goes on. I couldn't handle it and I quit within my first week and sought out a different job.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 3:27:59 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@SecOps Specialist  Well it certainly SHOULD be about improving security, not about checking a box. I expect that most awareness programs simply give out policies, without properly explaining why such policies exist???
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
10/6/2014 | 12:31:50 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@Sara -

Often times the Security training, much like HR training, is treated like a checkbox because it needs to meet compliance standards. The difference between Security training and Security Awareness training is that Security training is designed to meet compliance standards like FERPA or HIPAA/HITECH. Security Awareness training is about bringing, well, awareness, to the forefront of everyone's mind. There's more to Security than just blocking bad websites and keeping the "bad guys" out.

If people don't know that links are harmful, a checkbox solution won't help them with that. If people don't know that Social Engineering is something that happens almost every day and they don't know what signs to look for, they are vulnerable to it. Same thing with Phishing, Vishing, or Whaling. It's all a matter of how important the company views security. Is it something that needs a checkbox, or it is about getting people to change their views and get better at locking their workstations?

 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 12:18:47 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@SecOps Specialist  I love this extra bit of advice you mention:  "Computer-Based Training is a great way to meet compliance, but don't stop there."  I think that of all the many things security professionals do, awareness training is the one most likely to be treated with a "checkbox-only" approach. What do you think?
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
9/30/2014 | 4:06:23 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@Marilyn - I'm not sure that is even effective still. In my experience, if a user knows something is coming, they are more likely to try to circumvent it than if they don't know it's coming. Truthfully, vulnerability testing done by outside vendors should not be announced because then the results are skewed and do not actually provide accurate data which can hurt the company overall. You can tell users til you're blue in the face that Security is important but until they fall victim to something, they will not change.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
9/30/2014 | 2:14:33 PM
Re: Good, practical advice on security awareness training
Great points!  As part of the training for different audiences, it might make sense to look at different types of departments as they have different risks.  For example, marketing folks are known to use portable storage and cloud storage so they can work on files remotely.  Sales users risks come from how and where they access customer data.  Tailoring training to talk about these types of users specifically might get a better reposnse than the infamous "thou shalt be secure" corporate snooze sessions we've all sat through.
Page 1 / 2   >   >>


Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25738
PUBLISHED: 2020-11-27
CyberArk Endpoint Privilege Manager (EPM) 11.1.0.173 allows attackers to bypass a Credential Theft protection mechanism by injecting a DLL into a process that normally has credential access, such as a Chrome process that reads credentials from a SQLite database.
CVE-2020-29144
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or e...
CVE-2020-29145
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a solutionUnitServlet?SuName=UserReferenceDataSU Access Rights Group. In most test cases, session hijacking was also possible by utilizing t...
CVE-2020-29136
PUBLISHED: 2020-11-27
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
CVE-2020-29137
PUBLISHED: 2020-11-27
cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).