Everyday newer information security threats come to light, and companies have a hard time fighting these threats. But have you ever thought about what could be the reasons behind these threats? Well, there are various factors like using pirated software and not updating your antivirus. In addition, you have employees who download from unknown sites, thereby also clicking on a string of malicious code. Clicking on pop-ups is one such example.
This is a serious issue which companies need to address, and the answer lies in providing cyber security training to their employees. Here are some steps that will help you conduct
Get management approval: To empower employees to face cyber security issues, the management should be first taken into confidence. Without them, the initiative will not be very successful.
Employ a qualified trainer: It’s a good idea for companies to employ a qualified trainer who will give comprehensive training on the subject to the company’s employees (as part of their cyber security training initiative). However, this shouldn’t be a one-time initiative. It’s ideal to regularly conduct cyber security training in the timeframe of six months to one year. The trainer will be able to give information on the latest trends of virus attacks, and discuss case studies.
Create awareness: In most organizations, as part of cyber security training, the information security division should send out newsletters once a month or once every two months to all company employees. These newsletters increase employee awareness about the latest in cyber security, talk about the latest virus trends, and talk about attack forms.
Explain responsibility: Generally, during the induction program itself, companies specify the dos and don’ts of the company in the form of a policy. It should be made clear to all the employees that they are responsible for their actions so that in case of a malware attack an employee cannot say that he wasn’t aware of the possibility of an attack. As part of their cyber security training, employees should be completely discouraged from downloading software from unknown sites. This doesn’t mean they should stop surfing the Internet. What the company can do is add another level of perimeter security wherein the system administrator can regularly audit the system log or the firewall log and find out if somebody is trying to get malicious code inside the company.
Test the participants: After the cyber security training is over, employees should appear for a test. Based on their scores you can judge their levels of awareness.
Form an emergency response (ER) team: As part of cyber security training, form an emergency response team. Train the team members intensively so that they are capable of handling all kinds of emergencies.
About the author: Manu Zacharia is the director of information security at Millennium IT Consultants. He is an information security evangelist with more than 16 years of professional experience. Zacharia has also served with the Indian Air Force.
(As told to Anuradha Ramamirtham.)
This was first published in September 2010