Once upon a time, I believed that security awareness trainings were simply boring computer-based training videos that compliance requirements forced upon companies. You’d simply “next, next, next” your way through and learn nothing of value. However, in my current role I am directly responsible for developing the security program for my company and with a small team, I’ve realized how important it is to build a security culture to move my initiatives forward. To that end, security awareness trainings (if done properly) can be an effective method for educating employees and developing a security culture.
Given that I actually want people to learn about security and help me achieve my security goals, I set out to create an engaging and entertaining training. Having done these for over a year now, I’ve found that people generally just aren’t knowledgeable about security and if you show them how it applies to their everyday lives and how to do things in a more secure manner, they become far more interested and engaged.
So here’s what I think makes for an effective security awareness training.
- Deliver it live and in-person. Granted, this isn’t always possible, especially if you work for a large, geographically spread out company. But if you can do this, I highly recommend it. We as security professionals don’t like sitting through computer-based trainings or vendor-purchased cookie-cutter security programs, so what makes us think our coworkers would enjoy it any better? Doing it live puts a face to your company’s security program and allows for back-and-forth discussion and a chance for people to ask questions. These are good things, I promise.
- Make it an integral part of new hire orientation. By making this part of a new hire’s first day, it tells each new employee that your company takes security seriously and ultimately helps to build a culture of security. Work with your HR department and explain why this is critical. You’ll likely be able to lean on any compliance controls you may be required to follow (SOX, PCI, etc.) that mandate some kind of security training for new employees.
- Introduce the Security Team. Explain the purpose of the team and why the team exists. I tell everyone that our team’s goal is to protect the company’s assets to enable the business to succeed. That’s easily understandable and free of any technical jargon or fancy language. It also ties it back to the business and its overall goal of wanting to succeed to increase profits. If the team is small enough, mention names and roles. If it’s large, outline the roles at a high level.
- Explain why security matters. Give examples and then give more examples. Talk about breaches and malware that’s been in the news. In my training, I do this and cover interesting statistics and trends that have been reported by reputable security sources. These include how long an attacker goes undetected on average and how often a weak password leads to compromise. These statistics combined with my own commentary illustrate how security is critical to any business and that the struggle is in fact real.
- Discuss why someone would target your company. If your company generates any kind of revenue or holds valuable assets and information, you can be certain that someone will target it. Think about what your company does and what would be of most interest to an attacker. I tell people that our company’s assets include our people, products, money, data, and brand reputation. Each of these would be impacted by a security breach.
The best way to drive this point home is by sharing a past security incident that occurred at your company to explain how the company’s already been successfully compromised. Naturally, you should obtain the approval of your executive and legal teams prior to sharing this type of information. One type of breach that most are comfortable with sharing is regarding any successful phishing scams as this is a common type of attack that most people have already experienced both in business and in their personal lives.
- Present the safeguards in place and provide actionable steps to secure company assets. You’ve worked hard to implement some amazing security technologies and controls. While not everyone will understand (or care) about each of these, highlight the more user-facing ones. In my training, I discuss the importance of patching and the periodic prompts to install updates, the convenience of our single sign-on solution, how to create strong passwords using passphrases, how to securely access mobile email through our MDM solution, the importance of using our secure file storage and sharing solution, and how to quickly lock their screen to limit unauthorized access. These are all relevant and actionable steps that end users can take to secure valuable company assets.
- Most importantly, engage people and include them as part of the Security Team. Present the material in an engaging manner. While security is a serious topic, that doesn’t mean it has to be dry. Use humor, tell stories, answer questions. And always with a smile, even if HR scheduled for you to talk at 8 AM at the last minute. 😛 Easier said than done, sure, but this goes a long long way to keeping people interested in what is otherwise a typically bland topic for most.
Finish by telling them that they’re not only part of their respective department/team but now that they’ve taken your training, they’re also part of the Security Team. Explain that you can’t secure everything on your own and that you need everyone’s help to prevent and respond to security incidents. Reiterate that security is not just one team’s responsibility, but in fact, everyone’s responsibility.
I’ve applied these methods for over a year in my own trainings and I’ve seen people engage my team in ways I never experienced in previous roles. People ask for our opinions on security regarding technologies and processes and they actively report suspicious activities be it strange emails or abnormal computer behavior. We’ve been told by others that they support security and are grateful for the efforts of my team.
This is truly amazing, and I have no doubt that these 30-45 minute trainings that I deliver a few times each month have played a significant part in this. You may think you’re a 1337 haxx0r that can defend your company’s network on your own, but you’re fooling yourself if you do. You may be the security expert and all around technical wizard, but if people don’t value security or understand what security’s purpose is, your own people will continue to be your biggest security hole. Why not spend the time and effort to flip that around and make them one of security’s biggest assets?