As hackers proliferate, and social engineering and phishing attacks become more sophisticated and frequent, a robust security awareness training program assumes paramount importance for organizations. Employees are key enablers of any business, but since they also have access to classified information in the organization, it is essential to put them through security awareness training, informing them of their responsibilities towards securing vital organizational information.
Unfortunately, security awareness training is often overlooked or trivialized in many organizations, being seen merely as a ritual to attain compliance or retain certification.
Here are the few reasons why security awareness training programs fail. Let’s also look at how you can avoid such failures.
- Tone at the top counts
C-level executives should be apprised of the importance of security awareness and training for employees, who are in fact the weakest link when it comes to safeguarding the company’s assets. For example, potential security risks could result from: A security guard having access to the server room or the fire safe in which confidential information exists; or an IT administrator with access to sensitive information stored in a database. If top management is not favorably inclined towards security awareness training, no such program can succeed.
- size never fits all
Security training programs often are outdated or improperly designed, with common training material that may be unsuitable for different types or grades of employees. One size will never fit all; hence security practitioners should tailor the security training according to the business needs of diverse audiences within the organization. For example, employees working in the credit card division should be educated on securing credit card information, while software developers should be explained the importance of securing the program code.
- Allocation of budgets
Security awareness training programs often suffer due to insufficient budget allocation. To have a desired security training framework implemented, adequate budgets are a must. Do not fall into the trap of viewing the security awareness training program as a burden entailing unnecessary expenditure. Instead, it should be seen as a strong control that could safeguard pivotal information by educating employees who might otherwise prove to be unwitting security risks. A well-documented business case, with detailed cost-benefit analyses, would go a long way in obtaining budget sanctions from top management.
- Motivating the employees
Often, employees have no motivation to attend security awareness workshops or training programs, or to report security-related incidents or issues. If such behavior goes unacknowledged or unrewarded, and in addition is not part of employees’ KRAs, it is unlikely that anyone will approach the subject with unbridled enthusiasm.
Hence, ensuring employee motivation is an essential prerequisite to getting the desired results. Employees should be motivated to attend security awareness training and should be made to feel responsible for securing the organization’s assets. This can be incentivized in various ways. For example, toppers at every training program could be publicly recognized and rewarded; and, employees reporting security incidents could be acknowledged and felicitated at annual company meets. Frequent and personalized communication is important, be it via email, newsletters or bulletin boards.
Often, security awareness training programs do not have integrated feedback mechanisms within the framework. As a result, the training material and content could quickly become obsolete or irrelevant. To prevent this, regular feedback from different sets of employees in different divisions should be considered.
Business requirements along with linked security requirements change over time. Hence feedback will help the security team improve training exercises. The security team should also analyze incidents on an annual basis, or more frequently if feasible. For example, if password compromise incidents have increased over the year, then the training should provide more emphasis on this aspect, and the content should be revised accordingly. Different teams, such as physical security, HR and operations should come together periodically and deliberate on how the security awareness training program could be modified or improved.
- Dull presentations and training material
When it comes to designing and implementing security awareness training, one might be tempted to upload standard presentations or computer-based training modules on the intranet, to save on time and costs. Avoid such shortcuts, as employees are unlikely to feel enthused by such content, and would probably browse through the program cursorily, without retaining too much.
Instead, make the CBTs interesting and fun to go through by customizing and personalizing the content, for instance with actual images and videos from the various departments, photos of employees, and a script that will keep the audience engrossed while highlighting the real security issues. Multimedia presentations would ensure that the content remains ingrained in the minds of the employees.
Conducting an information security week is a fun way of creating security awareness among employees and encouraging safe behavior. Coffee mugs or T-shirts printed with information security guidelines would make everyone happy, while simultaneously enhancing security awareness. An information security poster competition is another way of getting people interested in security issues and boosting the security awareness training program.
This was first published in July 2012