Thursday 3 November 2016

Where Are The Gaps In Your Security Training Strategy?

Alison Prangnell, ZeroDayLab

Cyber criminals are attacking from all vectors; isn't it time we trained on all vectors too?

There is a lot of debate in the industry about how Security Awareness training for staff is a vital component to any security strategy but is it creating real behavioural change and is it enough?

We have talked before about how training needs to be more creative; considering the individual's needs and motivations in order to create engagement and change but what is also vital, is ensuring the training strategy works across three strata, from the top-down to the bottom-up.

Top-Down: Senior Executive Training

It has long been said that business or management culture 'should come from the top'.  This is the same for a proactive security culture, particularly as the top execuitives hold the keys to the castle.  Just as with any other employee there are two key factors at play here; both the organisation's and the individual's risk and how that can be reduced.

By educating senior executives using targeted threat intelligence research on not just the organisation and its brands but also willing volunteers within the executive group; one reveals the true risks of social engineering from both a personal and business perspective, the threat of criminality on the dark web, data theft, reputation, financial impacts and ultimately the all-important share price.

Bottom-Up: Security Training for Developers

How many open doors to hackers are unknowingly keyed into your code? Security training for developers is key to creating resilience at source.  By raising the developers' skillset in coding with security and hackers in mind, this not only makes your systems more robust but over time, reduces costs for testing and remediation as well as reducing the risk of attack.

Again, creativity and taking a tailored approach delivers maximum results.  Training can be implemented over multiple stages from online assessments to identify the individuals requiring training and the type of training required, to CBT, classroom training and lab-based modules.  The result is immediate, actionable knowledge that gives businesses greater confidence and clarity over the standards utilised to build their code.  What's more, online assessments can be used on an on-going basis for recruitment.

The Meat in the Sandwich: Security Awareness Training for Staff

Everyone is talking about it but how do you make it truly effective? By engaging the 'What's In It For Me?' priniciple; rather than having a list of rules of what not to do, you  build a picture of what is going on and how it affects not only the business but the individual and their families at home.   However, there's more.  There are key groups within a business who should receive bespoke training for their role: for example, Executive Assistants who are regularly targeted to gain access to business information.

Speak to our consultants to find out more about how training can be best implemented to help secure your organisation on +44 207 979 2067 

No comments:

Post a Comment