Monday 14 November 2016

Top-Down, Bottom-Up - What Are the Gaps in Your Security Training?

Where Are The Gaps In Your Security Training Strategy?

Cyber criminals are attacking from all vectors; isn't it time we trained on all vectors too? 

There is a lot of debate in the industry about how Security Awareness Training for staff is a vital component to any security strategy but is it creating real behavioural change and is it enough?  

We have talked before about how training needs to be more creative; considering the individual's individual needs and motivations in order to create engagement and change but what is also vital, is ensuring the training strategy works across three strata, top-down and bottom-up.

Top-down: Senior Executive Training
It has long been said that business or management culture 'should come from the top'.  This is the same for a proactive security culture, particularly as the top executives hold the keys to the castle. Just with any other employee, there are two key factors at play here; both the organisation's and the individual's personal risk and how that can be reduced.

By educating senior executives using targeted threat intelligence research on not just the organisation and its brands but also willing volunteers within the executive group; one reveals the true risks of social engineering from both a personal and business perspective, the threat of criminality on the dark web, data theft, reputation, financial impacts and ultimately the all-important share price. 

Bottom-Up: Security Training for Developers
How many open doors to hackers are unknowingly keyed into your code? Security training for developers is key to creating resilience at source. By raising the developers' skillset in coding with security and hackers in mind, this not only makes your systems more robust but over time, reduces the costs for testing and remediation, as well as reducing the risk of attack. 

Again, creativity and taking a tailored approach delivers maximum results. Training can be implemented over multiple stages from online assessments to identify the individuals requiring training and the type of training required, to CBT, classroom training and lab-based modules.  

The result is immediate, actionable knowledge that gives businesses greater confidence and clarity over the standards utilised to build their code.  What's more, online assessments can be used on an on-going basis for recruitment.

The Meat in the Sandwich: Security Awareness Training for Staff
Everyone is talking about it but how do you make it truly effective? By engaging the 'What's In It for Me?' principle. Rather than a list of rules of what not to do, build a picture of what is going on and how it affects not only the business but the employee and their family at home.  However, there's more.  There are key groups within a business who should receive bespoke training for their role; for example, Executive Assistants who are regularly targeted to gain access to sensitive business information. 

No comments:

Post a Comment