Thursday 2 June 2016

Top 10 Considerations for Truly Effective Security Awareness Training - Episode II

In this blog post we continue the Top 10 Considerations for Truly Effective Security Awareness Training.  We have already looked at Testing & Benchmarking, Elements of Testing, Timing, Training Methods and Who Really Holds the Keys to the Kingdom.  Today, we look a little closer at motivation factors and the human link. 

6. What's In It For Me? The Human Motivation Factor
"That's all very well," you think, "but what impact will a couple of hours training really have in changing behaviour in the company?" All too often, corporate training days are swiftly forgotten, so how do you make it stick - without using one?

Human error is a significant problem and to overcome it you need their behaviour to change.  To enable on-going behavioural change aligning your business needs with your employee needs and motivations is key.  Some motivators might be:
  • Protecting yourself and your family from identify theft and fraud
  • Financial incentives
  • Ambition and development (KPIs, development programme)
  • Personal engagement and responsibility (Security ambassadors)
  • Corporate engagement - doing it for the future of the company and its security.
Some companies have been linking staff security awareness to their appraisal system, some even to their bonus structure via a testing and scoring system.  If an individual (or sometimes team) falls below benchmark level, they lose their bonus and are sent on security awareness training.  This is an approach that has been welcomed by some management teas as it is quantifiable.  Clearly, there are pluses and minuses.  It is likely to engage the individual so they don't lose money, however the stick approach doesn't work for everyone and may affect loyalty and motivation.  There are however, no concrete statistics to suggest disincentivisation at this point.

7. Integration - The Human Link to Solutions, Policies & Procedures

ZeroDayLab's Four Quadrants of Security Awareness 

Let's face it, humans are everywhere.  People or their activities affect every single part of the business.  In terms of business solutions, weeding out the unofficial shadow applications and ensuring that teams keep all aplications in line with security protocols and the most effective implementation for your organisation.  Likewise, whilst the majority of staff are not involved in the management of policies and procedures; do all staff who need to be (such as customer-facing roles) have a full understanding or their responsibilities under PCI DSS or EU GDPR, for example?

8.  What Now? What to Do When a Threat is Discovered
Once you've trained your staff, have you told them what to do when they identify a threat? Empower them as a part of your security awareness programme. Make staff clear on when and how they report an email, or odd activities on their computer.  Just as importantly, in the event of a breach, ensure that communications are implemented effectively so that all staff, especially customer-facing operatives, know what to say and how to help the customer when they ring up concerned about their data security. Quite often, this link in the chain breaks and so does customer and stakeholder trust as a result.

9. Test, Educate, Review, Repeat
Testing isn't just about the phishing campaign.  Make sure you are breach ready with Red Teaming and runbook preparation and training - not forgetting a crisis communications strategy. Staff security awareness is an on-going project requiring regular communication and follow-up training.  In short; test, educate, review, repeat. 

10. Dust off the Bat Phone
Not every company has a big enough IT/Security team or HR & Training to implement Security Training on an on-going basis. It's not just the additional resources that a security consulting team will bring to your security awareness strategy, it is analysis and independence.  A security firm will not only be able to analyse the results from your phishing resilience testing, they can anonymously test social engineering and deliver physical security tests.  What's more, as an independent expert, they can add greater weight to your education programme through threat knowledge and the latest approaches for the board or the employee group as a whole. 

What are your top tips for security awareness?

No comments:

Post a Comment