Your employees are arguably your largest attack vector. Therefore, one of the absolute best things you can do to improve your organization’s security posture is to provide employees with effective security awareness training.
There are a few ways to effectively provide security awareness training, and each will have pros and cons depending on the organization’s culture.
- Visual aids are a great way to remind employees that there is a constant adversarial threat, and that they are the biggest line of defense when it comes to mitigation. While not a standalone option for training, they do present the importance of proper information security.
See more free Security Awareness posters here: https://www.cdse.edu/resources/posters-security-awareness.html
- Classroom training provides an engaging, face-to-face training environment. Whether this is conducted through tabletop exercises or just a security briefing, it is the classic way to inform your employees of security risks and methods of mitigation.
- Online training is another option for Security Awareness training, and provides an asynchronous method which will (theoretically) have less of a disruption in employee’s workflow.
Every organization’s Security Awareness program is going to be different. Ideally, your Security Awareness program should cover a multitude of topics:
- Social Engineering (Phishing, pretexting, Quid Pro Quo, tailgating, road apple… etc.)
- Brief rundown on malware
- Desktop security (removable media, failing to lock workstation, etc.)
- Insider threat awareness and response
- Password security (complexity, reuse, etc.)
Having a way to quantify the effectiveness of the training is a crucial aspect that is often overlooked. After training employees, it’s best to ask for feedback. This can be done in a few ways, which again will depend on your organization’s culture.
- Post training questionnaires allow employees to describe in detail what they did or did not like about the training.
- Allowing for questions and comments after concluding training will develop a “forum” atmosphere in which employees can piggyback off of others’ concerns.
- Leaving the training “open ended” and allowing employees to stop by your office with questions and concerns encourages employees to view Security Awareness as a continuous process.
Whether or not you choose to provide this to your employees on your own or through a third party will depend on the size, expertise, and expendable resources available at your organization. If you need help designing a security awareness program, please reach out to our commercial services team for more information.