If you would like to read the other parts in this article series please go to:
- Security Awareness Training: Your First Line of Defense (Part 2)
- Security Awareness Training: Your First Line of Defense (Part 3)
- Security Awareness Training: Your First Line of Defense (Part 4)
Introduction
It makes sense that those who are out there on the front lines every day – the users who are running applications, visiting web sites, managing email, etc. – are often the determining factors in whether or not a security breach occurs on your network. Yet many organizations throw together an “acceptable use policy,” hand it out to new employees, and call that a security awareness training program. Real training goes far beyond dissemination and explanation of company policies. In this article, we’ll look at why security awareness training is so important, advantages and disadvantages of developing your own program or contracting with specialists, and what a good security awareness training program should include.
The importance of security awareness
Many workplaces today are subject to governmental or industry regulation, and failure to comply can result in censure, fines or worse. In some organizations there are legal mandates that require workers to be trained in and/or “informed” about information security awareness. For example:
- The Federal Information System Security Management Act (FISMA) requires federal government agencies to ensure that all users of their information systems be aware of their security responsibilities and the agencies must document their security awareness training. The National Institute of Standards and Technology’s Information Security Training Requirements document specifies that all users attend security awareness training, either online or in person, at least once per year, and those who are designated as having significant responsibility for information security should to receive formal role-based security training.
- HIPAA (Health Insurance Portability and Accountability Act), section 164.308, requires that every organization in the healthcare industry implement a security awareness and training program for all members of its workforce (including management).
- Publicly traded companies that fall under the Sarbanes-Oxley Act (SOX), are governed by section 404 pertaining to Control Objectives for Information Technology, which mandates that companies appoint trainers and organize training sessions on a timely basis and record registration, attendance and performance evaluations.
- In Canada, the Personal Information Protection and Electronic Document ACT (PIPEDA) in section 1, clause 4.1.4(c) and 4.7.4, says that “Organizations shall implement policies and practices to give effect to the principles, including … (c) Training staff and communicating to staff information about the organizations’ policies and practices.”
Even if your company operates in a currently unregulated industry, though, a company-wide security awareness program should be part of your overall information security strategy. A September 2012 study from research company Forrester reported that the majority of data security breaches in North America and Europe are caused by employees, with a large majority of those being due to inadvertent actions rather than malicious insiders. The same study indicated that only a little over half of those employees classified as information workers said they were aware of their organizations’ security policies.
Those findings confirmed the conclusions of a survey done earlier in the year by Ponemon Institute and Trend Micro, which found that not only were employees the top cause of data breaches, but that in only 19 percent of cases did the employees self-report the incident – perhaps because they didn’t even realize it had occurred. Ponemon’s most recent annual study on the cost of data breaches puts the average cost of a data breach to an organization is $5.5 million; while this is down from a high of $7.7 million the previous year, it’s still a substantial amount of money. Of course, it’s not always possible to accurately estimate the monetary cost of such intangibles as loss of goodwill, damage to reputation and potential business that might have been lost if the data breach becomes public knowledge.
If employees are causing data breaches because they don’t know the company’s policies or don’t understand how to implement safe practices, then it makes sense to take steps to educate them.
Implementing a security awareness program
Once you’ve decided to implement a security awareness training program, there are many decisions to be made. There is no “one size fits all” solution; the right choices are dependent on many factors, including:
- The number of computer users in your organization
- The computer skill level and existing security knowledge levels of your users
- The type and sensitivity of the data that your workers handle
- Your existing use policies (Are workers allowed to use work computers for personal web surfing, emailing, etc. during breaks/lunch? Are workers allowed to connect their own devices to the company network? Are workers allowed to install applications, run web technologies such as Java, ActiveX, Flash, etc.?)
- Legal or industry mandates that apply to your organization
- Skill level and workloads of in-house security personnel
- Budget
You might think that a small company that doesn’t handle any super-sensitive information and isn’t in a regulated industry doesn’t need much in the way of security awareness training, but in fact, security isn’t just about protecting company secrets or clients’ personal info. Employees’ careless or inadvertent security faux pas can leave your network open to attacks that bring it down for hours or even days. That can interfere with the ability of employees to get their work done and make it difficult for your customers (or potential new customers) to contact you.
Because small businesses often operate on thinner margins and don’t have the cash reserves or borrowing power to hold them over during a network outage as a large corporation might, doing everything possible to ensure that your employees know how to help keep your network and systems safe can be even more important for the “little guys.”
There’s a difference between implementing a security awareness program “just so you can say you did” and implementing an effective security awareness program that’s tailored to meet the unique needs of your organization.
Just as a single training curriculum can’t effectively address the needs of every company, neither can the exact same material best provide the training needed by different workers within an organization, unless the org is very small and all the workers’ jobs and backgrounds are very similar. That’s why NIST bases its training standards on a role-based model. While there will be basic security awareness information that is applicable to all employees and contractors who interact with the computer systems in your organization, you should go beyond that and provide training that is relative and specific to each worker’s or group’s existing knowledge and skills and to the tasks they perform and the data they handle.
Your goal should be to take workers beyond the level of mere awareness of security issues, and actually educate them in how to assess the security implications of various situations and how to apply security best practices as they perform their job duties on a daily basis.
DIY or not?
One of the first decisions that will need to be made before you actually deploy a security awareness program is who will develop and deliver the training. Specifically, will it be developed and delivered by internal company personnel (and if so, will it be done by the IT department, the HR department, or someone else?) or will your organization contract with a company that specializes in such training? There are advantages and disadvantages both ways.
By doing it yourself, you may (or may not) save money. When looking at it from a cost standpoint, it’s important to consider not just the time that will be spent actually delivering the course(s) but also the time spent to develop the curriculum, to put together training aids and to prepare for the course. Instructors often expend as many or more hours outside the classroom as in. What is the hourly value of the time at the pay grade of the employees who will be doing this extra work?
Going with a training company may allow you to benefit from economies of scale; the curriculum will likely already be developed and in place and the development costs are spread among many clients. This also means you will probably be able to put the training program in place much more quickly. However, it may also mean that the training is more of a “canned” package that’s not specifically tailored to your company and the individuals who work there.
In some cases, workers may be more receptive to training from someone who is “one of us,” because there’s a sense that they understand the unique challenges of working for your org. In other cases, they may have more respect and be more likely to give credence to training from an outsider who is seen as more of an “expert” in the topic. You’ll have to evaluate the attitudes of the people in your organization.
If you’re considering the DIY approach, it’s important to think about not just which department but which individuals in that department will be doing the training. Some people are very knowledgeable about a topic but are not good at conveying that knowledge to others, so ensure you have staff members who are experienced and competent teachers. This can be a stumbling block for a small company with limited personnel resources to draw on. Even if you do have qualified instructors on the job, do they have the time to devote to this effort along with whatever other job duties they may have? An instructor who is overloaded and/or just doesn’t want to be there is almost worse than an inexperience and untrained one.
Which choice you make will determine what your next steps should be.
Summary
In Part 1 of this series on implementing a security awareness and training program for your users, we emphasized why such a program is necessary and important in the first place, factors to consider when deciding on an implementation model, and specifically how to decide whether to do it as an in-house project or contract with an outside training company.
In the next installment, we’ll be diving into specifics regarding how to develop your own program, and then we’ll talk about some tips to help you get the most out of contracting with a training company. See you next time! – Deb.
If you would like to read the other parts in this article series please go to:
The DIY idea is a trap I think many companies are falling into, thinking they will save money. Personally, in my own life there have been projects that should have been done by experts rather than inhouse. Cyber Security seems to be one such area that it makes sense to have professionals take the lead. From my own research some managed options seem to be Knowbe4, Wombat, and my favorite PeopleSec. While a popular do it yourself option is PhishMe.