One of the biggest weaknesses in information security today is the human aspect (the end user). Year after year we see new security controls, policies, and best practices put in place within organizations. Yet each year security breaches still take place. No one is immune, from small to large organizations, and no data breach is too small to make news or be reported on sites likewww.privacyrights.org. It only takes a simple mistake from an uneducated end user to leave an open door in your information security.
We all have our information security threats. For example: John stores his password under his keyboard, Jane downloaded a “harmless” penguin game from a Russian website, Josh tossed a stack of medical records in the trash can at his deck, Jen received a call from an “IT Support Technician” and provided her password to the technician, etc.
Most information security controls can be bypassed or subverted by careless or unaware end users. I have lost count of the number of times I have heard an end user state, “I had no idea that there was a policy on that.” Without educating your end users on your organization’s policies and information security posture, you are setting up your organization for a data breach.
An effective information security awareness training program is a vital part of your defense in-depth and your strong information security posture. Its purpose is to educate and train one of the weakest links in your information security posture.
Is Information Security Awareness Training Program Required for My Organization?
Yes and No. Your particular business and the data you handle will determine if you are required to have a form of awareness training for your employees or end users. Even if your company is not required to have an information security awareness training program, it is best practice is to implement such a program anyway. Numerous laws, regulations, industry requirements, and frameworks now require some form of information security awareness training program. Just a few are listed here:
- Health Insurance Portability & Accountability Act (HIPAA) §164.308.a.5.i states: Implement a security awareness and training program for all members of its workforce (including management)
- Federal Information Security Management Act (FISMA) §3544.b.4 states: Securing awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks
- Regulations/Industry Requirements
- Payment Card Industry Data Security Standard (PCI DSS) 12.6 states: Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security
- The North American Electric Reliability Corporation Critical Infrastructure Protection Standard CIP-004-3.B.R1 states: The Responsible Entity shall establish, document, implement, and maintain a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets receive on-going reinforcement in sound security practices
- ISO 27002 8.2.2 states: All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function
- COBIT DS7 states: Management of the process of educate and train users that satisfies the business requirement for IT of effectively and efficiently using applications and technology solutions and ensuring user compliance with policies and procedures
What Makes an Effective Information Security Awareness Training Program?
Before you can develop and implement an information security awareness training program, you must first have information security and other workplace policies in place. Without the policies developed and approved, you cannot expect your end users to follow them, let alone be able to enforce them. Second, you want to ensure all current policies meet mandated compliance requirements. If you are still in the process of developing your policies or completing a policy review, take a minute to review the six part Information Security Policies and ProceduresSecureState blog series or contact SecureState to learn more about regulatory GAP assessments and Security Policies and Procedures services.
Once you have your polices in place and updated, create an effective information security awareness training program. The key to making such a program truly effective is to go beyond simple compliance and focus on changing behaviors. Changing the behaviors of your end users so they become information security-minded will strengthen your organization’s information security posture.
How do you ensure the training program will change behaviors?
- Informative – Ensure the training provides a solid base of information, not just the policies verbatim, and bridges any gaps between policy language and user understanding. Often times Information security awareness training programs only restate the current polices and never bridge the gap(s). Gather a small group of employees to provide feedback on your currently policies or ask them to restate what the policy means to them. This will help identify areas where additional information or examples need to be included in the training.
- Relevant – Make sure the training is meaningful and appropriate for the employee. You want to keep the material pertinent to limit the potential for employees mentally checking out of the training. For example, if only 5% of employees need to understand the access administration policy, it most likely does not need to be included in the base level training.
- Engaging – Use multimedia, interactive simulations, knowledge checks, or participation as much as possible. Kept the material concise wherever feasible. If there is a large amount of information, try delivering it in a format that breaks it up into modules that reinforce each other.
- Linkage – Ensure the training assists the employee in linking the negative impacts to the organization if something should happen because the policy is not followed.
- Keep it current – Ensure training is updated on an annual base and have your employees complete refresher training at least annually. Use the findings from your penetration testing and incident responses to tune training. If you have weaknesses with social engineering, spend more of your refresher training on the topic.
Developing an effective information security awareness training program takes time and has its own life-cycle. But simply put, keep the material current and targeted to your organization’s needs, focus on changing employees’ behaviors, and keep information security in the forefront of your employees’ minds.