Network Computing Dark Reading

Advertise

Threat Intelligence

4/17/2019
09:00 AM

Jai Vijayan
Slideshows

Connect Directly

1 Comment
Comment Now

7 Tips for an Effective Employee Security Awareness Program

Breaches and compliance requirements have heightened the need for continuous and effective employee training, security experts say.

2 of 8

Assess and Identify the Problem Areas

Before you get started, do an initial assessment to identify the problem areas, says Amy Baker, vice president of security awareness training strategy and development at Proofpoint. The assessment can be anything from a broad phishing test to a question-based cybersecurity knowledge assessment. "This knowledge can be used to inform the larger program that the organization rolls out, as each module selected can be targeted to improve a specific problem area identified in the assessment," Baker says.

But don't just assess current security capabilities and knowledge. Also evaluate employee attitudes before rolling out a training program, advises Lisa Plaggemier, chief evangelist at Infosec, a provider of IT security education and workforce security awareness services. "Do they view security as a roadblock, a barrier to time to revenue, or the 'department of no?" she says. "If so, you've got to change the culture, not just train people to spot phishing emails."

In addition, remember that you can't have a one-size-fits-all security-training program. Different roles have different needs, so you need to approach your program that way, too, Plaggemier says.

Image Source: Shutterstock

2 of 8

Comment |

Email This |

Print |

RSS

Comments

Newest First | Oldest First | Threaded View

[close this box]

50%

REISEN1955,
User Rank: Ninja
4/17/2019 | 10:36:38 AM

On training

It is amazing how many security breach issues are directly related to phishing. Employees should know better by now but they still click on that invoice for something they never bought or an email from the chairman asking 5 min of their time. Mis-spellings too. All these are dead give-away signs that they ignore. My rule: if you don't need it, don't read it, delete it. Works fine. Showing staff how complex and persistent threats are is great - stun and awe them. And make learning fun - get pizza for a training session and jokes too. You have to make it a smile event so they remember it. And they HAVE TO REMEMBER it. Office and home use too. Humor - I toss in puzzle problems too. Here are two great ones.

5 US Presidents had last names that began with the letter H. Name them.

3 words ONLY begin with DW in the English language. They are?

Users can be just curious. I had one actuary (read that man with zero life) get the infamous Anna Kournikovia picture virus. I confirmed that and then moron starts to move his mouse TO THE PICTURE. If you click that i will terminate IT support for you for ever going foward!!! And he said " then I shouldn't click it?" EGAD they just want to see what it DOES!!!! Curiosity killed the cat and data set.

Reply | Post Message | Messages List | Start a Board

Hot Topics

Editors' Choice

How Attackers Used Look-Alike Domains to Steal $1 Million From a Chinese VC

Jai Vijayan, Contributing Writer, 12/6/2019

Navigating Security in the Cloud

Diya Jolly, Chief Product Officer, Okta, 12/4/2019

SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit

Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC, 12/5/2019

Live Events

Webinars

[Video] Shaping the Future of IT CIO Lightning Series - Interop19

[Video] An (Ir)rational Approach to Interoperability - Interop19

Cisco & Amazon Web Services to Keynote at Enterprise Connect 2020

More Informa Tech Live Events

White Papers

In Today's Age of Digital Transformation, How Does Your Firewall Measure Up?

2019 Malware Trends of the Phishing Landscape

[Fundamental Guide] Building a Better SOC

SANS Report: Cloud Security Survey

Definitive Guide to Securing DevOps

More White Papers

Video

All Videos

Cartoon Contest

Write a Caption, Win a Starbucks Card! Click Here

Latest Comment: Our Endpoint Protection system is a little outdated...

Cartoon Archive

Current Issue

Navigating the Deluge of Security Data

In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

Rethinking Enterprise Data Defense

Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.

Download Now!

Assessing Cybersecurity Risk in Today's Enterprise

0 comments

2019 Online Malware and Threats

0 comments

The State of IT Operations and Cybersecurity Operations

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2019-19698
PUBLISHED: 2019-12-10

marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.

CVE-2019-4428
PUBLISHED: 2019-12-09

IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....

CVE-2019-4611
PUBLISHED: 2019-12-09

IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.

CVE-2019-4612
PUBLISHED: 2019-12-09

IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.

CVE-2019-4621
PUBLISHED: 2019-12-09

IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]