Boiling it Down
IT Department: “We are implementing a Security Awareness and Training Program.”
General User: “A what?”
Here’s how I recently explained it at a conference where I delivered a presentation on structuring a security awareness (and training) program.
A security awareness and training program is your security controls and policies affecting users, along with current threats, boiled down so that users can comply with the policies and appropriately respond to the threats.
A user doesn’t realize he is supposed to report an attempt by a non-employee to access his computer? Not his problem. It’s yours, unless you’ve made this information clear to him.
A user complains about frequent password updates? Not her problem. It’s yours, unless you tie this security mitigation factor back to how frequently people get phished.
The security awareness piece is a combination of current threats and security policies of which an employee needs to be informed. Think of it as the WHAT and the WHY.
The training piece is showing them HOW to adhere to policies and HOW to respond to threats. These are two distinct pieces, both which are very important.
For example, take the phishing threat. Users with e-mail will at some point receive a phishing scam.
They need to understand WHAT phishing is and WHY it’s a threat. (Awareness)
Then, they need to know HOW to recognize a phish and HOW to report it in your environment. (Training)
Where to start?
Great sources include existing use policies, frequently used security applications (such as a network login or antivirus), and common issues reported to the help desk. Here are some categories to consider:
- Social Engineering
- Computer Use Policy
- Web Surfing
- Sensitive Data
- Mobile Devices
- Physical Security
- Social Media Policy
Need an Expert?
If you need some help developing your own program, contact us today.