Security Awareness? "Once and Done" Does Not Teach Awareness

Posted on January 23, 2014 by Christopher Burgess

A new employee shows up on day one and walks through his ID card briefing, compensation and benefits brief, and security brief, meets his new team and manager, and tries to retain all the information rushing out at him via the orientation fire hose. All boxes checked, the employee is good to go, and the security team notes that 100 percent of all new employees continue to receive security awareness training. Really? The human element side of the equation logically tells us the new employee retains the information provided at orientation which will be of highest immediate value. Does the security program's information break through the threshold of "useful"?

Does Security Awareness Training Work?

While the aforementioned security brief may be a necessary evil or an important box to check on the compliance checklist, it is also an excellent opportunity for the security team to make their first impression a good one, and drive home the point that all employees are members of the security team.

The security team needs to follow up their orientation brief in short order with the localized brief to include the direct manager. The manager's inclusion ensures personalized training. The manager is able to evolve the discussion with direct correlation to the work of the individual. For example, "The reason why we ask you not to use your personal device to access company data is..." This localization effort also permits the security awareness program to have global strategic initiatives, for example, cutting down/out tailgating into corporate buildings, but with local cultural sensitivities at play. Perhaps confronting a tailgating individual is culturally difficult: even though the "why" is clear, the "how" is ambiguous or culturally awkward.

How Do You Measure Success?

Do you measure how many laptops are lost, devices are infected, data are breached, or customers are lost? These are all valid measures of security failures. But how do you know that your employees are taking proper precautions? Cyber-security teams may use off-the-shelf test programs which salt employee email with a piece of "phish." There are also homegrown tests such as tossing a dozen USB sticks into the company parking lot and then keeping track of how many are found and if any that were found were then inserted into devices.

Valid tests will produce a measurable number—but does that number necessarily produce an actionable result? Did the test have a "right answer," such as "don't open email attachments" or "don't put a device into your machine?" If that was the metric, you had a valid test. But do tests such as these actually teach security awareness? The jury continues to be out. However, these tests aren't the only arrow in the security-awareness-training quiver.

Some believe awareness training doesn't serve to address the targeting of the individual employee by those attempting to acquire company or personal information. Invincea CEO Anup Ghosh told SecurityWeek that organizations need to "give up on the idea of training this problem away," whereas others believe that the in-the-moment training opportunity presents a wonderful opportunity for the individual user to be tested, his learning reinforced, and the test results discussed.

What Is Key?

The key to effective awareness training lies with the attendant discussions that involve the employee base. And Ghosh is right—training will not make the targeting of employees by ne'er-do-well individuals disappear. But having employees who are able to identify the efforts of malevolent individuals is an important security win. Suspicious behaviors employees should learn to recognize include an individual eliciting information at the hotel coffee shop, someone tailgating into a building, the "wayward USB stick," or the email with the bogus header—recognition of these tactics are measures of the success of the training program. This information is measurable, and gives the security team data points that their data loss prevention (DLP) efforts cannot see. If employees are reporting anomalies, the program can be considered successful.

Security awareness may not be the panacea; it is, however, the gift every company has the opportunity to give itself. Engaging your colleagues continuously and not just "once and done" moves you closer to the real goal—keeping the company's personnel and information secure.

Contributors

Christopher Burgess

, Prevendra Inc.

risk management

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.