The notorious hackers are increasingly planting more sophisticated attack. With Social engineering and phishing emails proliferating each day, having a strong and robust security awareness program is of paramount importance for securing company’s assets.
The Employees are the key enablers to the business, but one should be mindful of the fact that they also posses access to company’s classified information. Hence it is inevitable to train employees on security awareness.
Security awareness training should be inculcated to all the employees to make them aware of their responsibility towards securing the companies vital information.
No one can argue the importance of security training, however ironically in most of the company the security program is atrocious. Traditionally Security training is seen as merely a ritual for purpose of the compliance or regulations or for retention of a certification. Often security training program is overlooked and deprioritized
Here are the few of the reasons of failure of security training program and the remediation action.
- Tone at the Top counts
C level executives should be educated and informed about the importance of security training. Employees are the key enablers of the business, at the same time are the weakest link. Employees have access to the company’s application, customer personal information / credit card information etc. for example, an IT administrator has access to key company secrets stored in the database. Or the security guards have access to the server room or to the access to fire safe where important information exist. Hence managements tone at the top should be conducive toward security training. as It’s not only important to comply with regulation but also to safeguard and protect company’s assets
- One size never fits for all
Security training program often are archaic and improperly designed. Security training materials are often common across the board. There is often no difference between software developers to a back office employee taking the training
One size will never fit for all; hence security practitioners should tailor the security training according to the business needs. . Security training program should be meticulously designed to diverse audience. For example, an employee working for Credit card division should be educated on securing Credit card information, however an employees from software development should be made cognizance of the importance of securing the code. While the security guards force should be made aware of importance of securing the perimeter and controlling the access to key access points. Security requirements should be carved according to the role and business requirements.
- Allocation of Budget
Budget has a great impetus on designing and implementing the security training program.
Often security training has to bear the axe due to lack of budget allotment.
To have a desired security training framework implemented, adequate budget is a must. To integrate Web based training or to have information security week, all of it will entail cost. Of Often security training program is seen as a burden due to which it lacks its importance.
Allocating appropriate funds for security training program is extremely vital.
Instead of seeing this as a cost, training should be seen as a strong control that could safe guard the pivotal information by educating and creating security awareness.
A well documented business case, with cost benefits analysis would surely catch the eye balls of the management and would go long way in allocating the budgets
- Motivating the employees
Often Employees find no motivation in security and security training. Employees are dictated to participate in the CBT Training or the participating in a workshop. In addition, Employees would have no motivation to even report the security issue to the right authority; they would be scared to report incidents, and a consequence would over look incidents they may encounter. As often there are no reward are granted to participate in the training program or for reporting security issues , often you will notice employee being dormant or have no impetus in participating in security training or reporting any issue. Often security training is not linked to the KRA or KPI, hence employee find no real reason to take up security training.
Employee motivation is the essential in getting the desired results. Employees should be motivated to give the training and should feel the responsibility of securing the companies assets. There are different ways to motivate the employees for example
For every top scorer of CBT Training and certification of appreciation can be complied with the photograph of the employee, via a soft copy, or a hard copy, or could be placed on the Hall of fame. Employees reporting the security incidents could be felicitated in form of goodies, or reward during annual meets of the company .these are some cost effective ways of delivering employee motivation.
Most of the company security training has not integrated feedback mechanism in their framework. And hence the material or the training content often seems archaic. Nearly all company security training has not integrated feedback mechanism in their framework. Regular feedback from different sets of employees from different division should be consider The business requirement along with security requirement changes with time, and hence incorporating the feedback would assist the security team to improve the training.The security team should also analyze the incidents at least on annual basis for example , it password compromises incidents have increased over the year , then the training should have more impetus on securing password , and the content should be revised accordingly. Different
Team like physical security, HR, Operations should come together periodically and feed it their feedback to the information security team for improvising the security training program.
- Boring PPT / CBT
When it comes to designing and implementing security training, one, would jump on the bandwagon, by drafting a PPT or uploading a CBT on the intranet while they are easy and cost effective, they are less attractive and barely impressive. Employees often find the CBT less impressive with long and bore some content. Employees are often forced to take up the CBT for the stake of it. Security practioners should use innovative way of delivering security training program, below are few examples;
If you are using CBT training and enforcing employee to take it up once every year, they you may want to add some more flavors by following below examples
Personalizing CBT is an interesting and fun way of delivering CBT. Personalize the CBT with real scenario, with real image of the company, with real photograph of the employees, and script that will keep the employee engrossed in the CBT. Drafting the real security issue is of utmost important. You can also make a audio , video visual and upload which will give more impetus and encourage and will ingrained in their memory while taking up the CBT.
Conducting the information security week is a fun way of encourage and creating awareness amongst the users. Mugs ,or T Shirt printed with information security do’s and don’t would add value and create awareness. Have an information security poster competition is way of building exercise with adding value to security training program.
Frequent communication is important, it may be via news letter and email bulletin or posting the images of employee who reported incident or personalizing the communication is important.