The firewall -- has the "magic" box lost its mojo?
May 3, 2016
The Information Security Magic Bullet
January 13, 2015
A few years ago, I had to develop an employee security training program as part of a SAS 70 effort. I saw the process as not much more than a check-off in that process, but I did a solid job developing the training material, and presented it myself. After interacting with employees working through the classes, I became a believer in the importance of employee security training.
For those of us with any security background, this sort of training appears counter-intuitive. It seems to us to be common sense. To the average person however, it is stuff they don't usually think about. Case in point - I was getting dressed after my 6 miles on the track at the YMCA tonight. As I was finishing, a man with his son, who appeared to be around 9, walked in from the basketball court. As the dad was opening the locker to get their coats, I heard the boy ask why he was using a combination lock rather than one with a key. The answer is pretty obvious to me - it is too hard to keep track of a key during a workout (I confess to having tried this, and lost it on more than one occasion). To a 9 year old that had spent little time at a gym however, this was a serious question.
I recently blogged on pfishing, and cited a recent study showing that a large percentage of employees would click on a simulated pfishing message. The same study showed that after employee training, the number following the illicit link was substantially reduced. There are numerous other specific deliverables however. Another good example is what we refer to as social engineering - the idea of using non-technological means to obtain inside information as part of an attack. One of the things we train employees about is not to respond to phone calls requesting system information. An example is someone calling an employee, claiming to be from the IT department, and requesting their password to fix a "problem". Again, this may seem obvious, but it is not to many people. I have had employees give their password to auditors claiming to be from IT department, so it is a real problem.
Thus, the magic bullet of Information Security is employee training. Employees are the weak link in any information security plan. There are reports that the recent Sony hack may have begun using a stolen password. The good news is that training is relatively easy and cheap.
Hopefully, I have convinced any who don't do this of the importance of it, and I therefore assume you are beginning to work on it as we speak. To help you in your planning, here are some suggestions:
Do not assume that your employees know anything, or that any actions are "common sense". Like the 9 year old who did not know about the reason for the combination lock, your employees may not understand the basics.
Refresh it at least yearly. It is easy for anyone to forget what they learned. Make sure to update the contents with changes that happen in the industry from year to year.
Keep it brief. I have never found the need to exceed one hour of live training.
Keep it light hearted. A bit of humor goes a long way in making the mundane more interesting. Good humor is even better!
Bring food. In the words of a famous song, "just a spoon full of sugar helps the medicine go down." A nice pastry tray is inexpensive relative to the cost of maintaining information security (and don't forget us "health nuts").
Involve the employees. Just like when we were in school, class participation drives engagement.
Bring door prizes. I always found that a random drawing for a few nice prizes helps build enthusiasm.
Make sure they have ownership. It should be clear that security breaches can jeopardize the company, which can impact their employment.
Do a brief post-test. This is a good way to measure the effectiveness of the training.
Did I mention food?
There are a variety of options for conducting training I have always found live training to be the best approach. If you are not comfortable with developing and presenting a program there are many consultants that customize and present a program for you (we offer a customized training program at a very affordable price). For companies with many remote employees, another option is online training. There are generic online options available, although they are not as good as a customized approach. Finally, it can be done via written documentation, although I have found that a relatively small number of people will actually read and absorb such material.
I hope the above has convinced you to make employee training part of your information security arsenal. If not, call me - we need to talk!