Cybersecurity, information security, and all those acronyms… How do you keep on top of it all? Don’t forget your users. An important part of information security is user training. These days, everyone is a potential target. It’s not just the big corporations anymore. You have to be careful with your personal information and your personal devices. If your employees know their stuff, they can help protect you and the company.
People are not the weakest link — they are the primary attack vector. We can protect them by changing their behavior. One effective way to change behavior is to leverage an awareness and training program.
The distinction between training and awareness is often confused. Training is primarily active, and awareness is generally passive. And there can be overlap!
- Training: To teach skills that allow a person to perform a specific function
- Awareness: To focus an individual’s attention on an issue or a set of issues
Training comes in many forms. Often, the most effective is a combination of the classroom and online. Visual aids such as posters are often used to increase awareness of the training. The information can be emailed, and phishing campaigns might be used to ensure everyone is aware of the new training and can pass it on. I like to blend my approach with a focus on awareness, which allows any associated training to flow naturally into the organization.
If you want to motivate your employees, use positive messaging. It is much more effective to explain why a policy is important than to scare people with negative statements. Studying the impact of different types of messaging can help you deliver messages that are more effective and more likely to be acted upon.
Security awareness training isn’t a one-and-done deal. It should be a regular and ongoing process to keep employees on top of their game. Using multiple media sources is ideal, whether it’s phishing tests, formal assessments, or network anomaly statistics. We must measure our programs and adjust them to ensure that we’re giving employees the best security training on the planet.
Core topics for security awareness training might include:
- Social engineering*
- Email/Phishing scams*
- Passwords (passphrases)
- Multi-Factor/Two-Factor Authentication (MFA/2FA)
- Ransomware and Malware
- Physical security
- Desktop security
- Removable media
- Wireless networks
- Data privacy
- Home, IoT, and personal security
No matter how many digital awareness and training programs you have, don’t forget about the basics. Old school methods can be just as effective. If you walk around your business looking for exposed passwords, unlocked computers, and other physical security risks, you may find it eye-opening. When we focus so heavily on hi-tech digital security, we often forget about basic physical security.