Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/17/2019
09:00 AM
Jai Vijayan
Jai Vijayan
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

7 Tips for an Effective Employee Security Awareness Program

Breaches and compliance requirements have heightened the need for continuous and effective employee training, security experts say.
2 of 8

Assess and Identify the Problem Areas

Before you get started, do an initial assessment to identify the problem areas, says Amy Baker, vice president of security awareness training strategy and development at Proofpoint. The assessment can be anything from a broad phishing test to a question-based cybersecurity knowledge assessment. 'This knowledge can be used to inform the larger program that the organization rolls out, as each module selected can be targeted to improve a specific problem area identified in the assessment,' Baker says.

But don't just assess current security capabilities and knowledge. Also evaluate employee attitudes before rolling out a training program, advises Lisa Plaggemier, chief evangelist at Infosec, a provider of IT security education and workforce security awareness services. 'Do they view security as a roadblock, a barrier to time to revenue, or the 'department of no?' she says. 'If so, you've got to change the culture, not just train people to spot phishing emails.'

In addition, remember that you can't have a one-size-fits-all security-training program. Different roles have different needs, so you need to approach your program that way, too, Plaggemier says.

Image Source: Shutterstock

Assess and Identify the Problem Areas

Before you get started, do an initial assessment to identify the problem areas, says Amy Baker, vice president of security awareness training strategy and development at Proofpoint. The assessment can be anything from a broad phishing test to a question-based cybersecurity knowledge assessment. "This knowledge can be used to inform the larger program that the organization rolls out, as each module selected can be targeted to improve a specific problem area identified in the assessment," Baker says.

But don't just assess current security capabilities and knowledge. Also evaluate employee attitudes before rolling out a training program, advises Lisa Plaggemier, chief evangelist at Infosec, a provider of IT security education and workforce security awareness services. "Do they view security as a roadblock, a barrier to time to revenue, or the 'department of no?" she says. "If so, you've got to change the culture, not just train people to spot phishing emails."

In addition, remember that you can't have a one-size-fits-all security-training program. Different roles have different needs, so you need to approach your program that way, too, Plaggemier says.

Image Source: Shutterstock

2 of 8
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/17/2019 | 10:36:38 AM
On training
It is amazing how many security breach issues are directly related to phishing.  Employees should know better by now but they still click on that invoice for something they never bought or an email from the chairman asking 5 min of their time.  Mis-spellings too.  All these are dead give-away signs that they ignore.  My rule: if you don't need it, don't read it, delete it.  Works fine.  Showing staff how complex and persistent threats are is great - stun and awe them.  And make learning fun - get pizza for a training session and jokes too.  You have to make it a smile event so they remember it.  And they HAVE TO REMEMBER it.  Office and home use too.    Humor - I toss in puzzle problems too.  Here are two great ones.

 5 US Presidents had last names that began with the letter H.  Name them.

 3 words ONLY begin with DW in the English language.  They are?

Users can be just curious.  I had one actuary (read that man with zero life) get the infamous Anna Kournikovia picture virus.  I confirmed that and then moron starts to move his mouse TO THE PICTURE.  If you click that i will terminate IT support for you for ever going foward!!!   And he said " then I shouldn't click it?"    EGAD they just want to see what it DOES!!!!    Curiosity killed the cat and data set. 
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19698
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.