Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/29/2014
05:00 PM
Sara Peters
Sara Peters
Slideshows
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Be Aware: 8 Tips for Security Awareness Training

Hint: One giant security training session to rule them all is not the way to go.
Previous
1 of 9
Next

It's every security professional's nightmare. All your best security measures: rendered useless by one great social engineering attack, one lost smartphone, or one weak password.

If only your users understood that security is everyone's job. If only they took your friendly reminders, heartfelt pleas, angry threats, and authoritative demands seriously. If only they weren't so stupid.

Maybe the problem isn't just your users -- it's your lousy security awareness program.

Awareness may be even more difficult than the most complex security architecture rip-and-replace. It's hard.

During the "Securing the Human" panel discussion at the Cyber Security Summit in New York earlier this month, experts shared some tips on how to make security awareness easier and more effective.


Image: "Anna Held's Eyes," Library of Congress via plaisanter~.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio

Previous
1 of 9
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
anon7110993809
50%
50%
anon7110993809,
User Rank: Apprentice
3/30/2015 | 6:52:17 PM
digital security training
All 8 of these tips are great for running a digital security training. As you say, having one giant meeting to cover everything is not the way to go at all. People will start to get bored, and no one remembers anything when they are bored. Break it up into a few smaller meetings stretching over a few weeks. That way people are more likely to remember what was taught in each meeting. 
jn94583
50%
50%
jn94583,
User Rank: Strategist
10/8/2014 | 4:16:25 PM
Informal Power
I would posit that Security Awareness and Training programs are woefully undervalued. Not simply because "education is the only patch for human error", but because informal power is more effective than sanctions. 

Shaping the culture towards being more security concious is more effective than threatenting them with penalties. While people may take the tests and nod when you emphasize how importent security is, they ultimately have a job to do. They will tend to discount the tutelage if it interferes with what they need to do.

I agree, emphais on explaining the "why" is essential, however this does not guarantee compliance, which is ultimately an internal decision. It's a decision the person makes. If a corporate culture has been shaped to make security "normal" and expected, then compliance emerges from a good feeling rather than a fear.

It's much like the change in wording one might use in a Standard to reduce the natural resistance created by commands. Words like "must" are replaced by "do".

For example:

"All admins must report malware alerts" becomes "All admins report malware alerts" (the "do" is implied). This approach makes the requirement a statement of fact (it's how we do it here) rather than a prescriptive mandate...(of course it's how we do it here) :-)

 

  
Sara Peters
100%
0%
Sara Peters,
User Rank: Author
10/6/2014 | 4:21:17 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@SecOps Specialist   WOW! Good for you. That's the first time I've heard someone say they quit their brand-new job because of bad information security. 

And you're right: it certainly varies from company to company. One of the best security awareness training experts I know is hilarious and comes up with all kinds of ways to get people engaged. One example I remember: He wanted to teach people about keeping clean desks -- making sure that when people walked away from their desks their cubicles weren't wallpapered with login data, their computer screens weren't unlocked, their desks weren't covered in confidential documents and/or portable storage devices full of confidential documents.  

So... he and a few members of his team dressed up like aliens! They wandered around the office, gathering up all the sensitive data they could just by wandering around. The idea being that even an alien with no prior knowledge of a company could be dropped in the office one day and walk away with everything they needed to know to breach the company. Whether or not it worked long-term, it certainly got the message across in an inventive way.
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
10/6/2014 | 3:48:43 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@Sara

That's a tough one really. It is truly dependent on the business and how vested they are in Security and making sure that their program is more than a checkbox. If a company is only caring about compliance, they will not, in general, have a developed security program. They will have policies, as you said, that every person has to read every year as a way to meet compliance. Very rarely do you see companies that have a large program regarding security.

The hope is that if the program as you said "should" be about improving security, but like I had said earlier, some businesses just do not have the resources to dedicate to something like that. As a prime example, I went to go work for this company, I quit after a week because of how lax their security was. Their idea of security was allowing anyone access to the network room where the servers and cabling was located, everyone knew the username and password of everyone in the building, including the administrators such as the network admin and the server admin. The list goes on. I couldn't handle it and I quit within my first week and sought out a different job.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 3:27:59 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@SecOps Specialist  Well it certainly SHOULD be about improving security, not about checking a box. I expect that most awareness programs simply give out policies, without properly explaining why such policies exist???
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
10/6/2014 | 12:31:50 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@Sara -

Often times the Security training, much like HR training, is treated like a checkbox because it needs to meet compliance standards. The difference between Security training and Security Awareness training is that Security training is designed to meet compliance standards like FERPA or HIPAA/HITECH. Security Awareness training is about bringing, well, awareness, to the forefront of everyone's mind. There's more to Security than just blocking bad websites and keeping the "bad guys" out.

If people don't know that links are harmful, a checkbox solution won't help them with that. If people don't know that Social Engineering is something that happens almost every day and they don't know what signs to look for, they are vulnerable to it. Same thing with Phishing, Vishing, or Whaling. It's all a matter of how important the company views security. Is it something that needs a checkbox, or it is about getting people to change their views and get better at locking their workstations?

 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 12:18:47 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@SecOps Specialist  I love this extra bit of advice you mention:  "Computer-Based Training is a great way to meet compliance, but don't stop there."  I think that of all the many things security professionals do, awareness training is the one most likely to be treated with a "checkbox-only" approach. What do you think?
SecOpsSpecialist
50%
50%
SecOpsSpecialist,
User Rank: Moderator
9/30/2014 | 4:06:23 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@Marilyn - I'm not sure that is even effective still. In my experience, if a user knows something is coming, they are more likely to try to circumvent it than if they don't know it's coming. Truthfully, vulnerability testing done by outside vendors should not be announced because then the results are skewed and do not actually provide accurate data which can hurt the company overall. You can tell users til you're blue in the face that Security is important but until they fall victim to something, they will not change.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
9/30/2014 | 2:14:33 PM
Re: Good, practical advice on security awareness training
Great points!  As part of the training for different audiences, it might make sense to look at different types of departments as they have different risks.  For example, marketing folks are known to use portable storage and cloud storage so they can work on files remotely.  Sales users risks come from how and where they access customer data.  Tailoring training to talk about these types of users specifically might get a better reposnse than the infamous "thou shalt be secure" corporate snooze sessions we've all sat through.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
9/30/2014 | 1:49:35 PM
Re: Be Aware: 8 Tips for Security Awareness Training
@SecOpsSpecialist. My guess is that the warning is more general. Tell users that they will tested by an attack, but not be specific as to timing and the nature of the attack. I suspect, even with such warning, users will fall victm, and a serious lesson will be learned.
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.