Employee Security Training: Beyond Check Boxes
Do you see pieces of paper in your organization with usernames or passwords?Do you see employee desks with customer sensitive files and data lying on them with no one around?
Do you see employee trashcans containing sensitive customer information?
Do you see employees opening an email from someone they don't know?
Do you see employees downloading files without proper authorization?
And the list continues...
In last year's CompTIA information security study, 59% of the organizations surveyed indicated that their latest security breaches were the result of human error alone. That is up from 47% in 2005. Despite such statistics, many companies fail to do enough to educate their employees. We need to get out of the cookie cutter training mindset and think beyond check boxes and posters and take security training more seriously!
Security professionals and senior management including CISO's, CIO's are faced with ever increasing levels of complexity in managing the security of their organizations and in preventing attacks that are increasingly sophisticated. As individuals we are subjected to enormous amounts of information across broad ranges of subjects, including security policies; new technologies, patches and threats; and, new sources of information. As the environment continues to become more dynamic the process of making good security decisions based on a sound information security training program is becoming more and more challenging.
The answer lies in creating a security-aware culture in our organizations, where employees go through in-depth security training which adds value to their everyday security practice and makes them more aware of information security in a much broader sense.
Every employee at an organization must go through a well defined and detailed security course on a regular basis to ensure learning is on a continuous basis. We can no longer afford to let security become an "out of sight, out of mind" issue. We need to stress on training being constant and varied.
Here are tips to few security training initiatives which will help engage employees at any organization and add to the over all effectiveness of a good security training program -
- Organizations should start sending employee newsletters with tips that alert them to the latest security news, scams and viruses or any other relevant content on a regular basis.
- Companies should also make it a point to send friendly email and voice mail alerts on a regular basis to employees to reinforce security best practices.
- Should host classroom training sessions every month or quarter to cover significant security topics and share information on real-life incidents and security breaches occurring within the industry to make it more involving for employees.
- Companies can have security-related tips and reminders-like "Company data is confidential information," or "Is your desktop password protected?" which can be displayed and part of employees' screensavers.
- Organizations can implement a "Breaking News" program where the first employee to bring in a news story on IT security gets a prize.
- Companies can implement a fun Web-based training method to educate employees on security topics and use online quizzes to test their knowledge.
- Companies can also host live game shows based on "Jeopardy" or "Who wants to be a Millionaire" and have employees participate to give answers on Security related issues and topics.