Security Awareness Training: Empower EmployeesPublished February 20, 2018 by Karen Walsh • 5 min read
Despite the importance of security awareness training, employees often find themselves disengaged from security practices. Training sessions or webinars provide information, but your employees may feel as though security represents an intangible issue that only adds to their work burden. Unfortunately, these same employees find themselves placing not only your organization but their homes and families at risk for data breaches.
Why are security awareness training and education essential?
The information security program approved by your Security Committee should incorporate security training provisions. People constitute the foundation of any organization. The adage that knowledge is power holds true in information security. When people learn awareness, they not only protect themselves better but also your company.
Ransomware attacks such as WannaCry ran rampant in 2017’s news creating near hysteria across industries. Providing employees with security awareness resources, therefore, acts as the lynchpin of your overarching enterprise security management program.
What regulations and standards require a security awareness training policy?
Several regulations incorporate security awareness training requirements. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that all workforce members complete training on the organization’s policies and procedures regarding personal health information (PHI). The Gramm-Leach-Bliley Act (GLBA) requires training to ensure that employees can recognize and respond to fraud and identity theft attempts such as pretext calling. The Federal Information Security Management Act (FISMA) requires training such that employees, contractors, and anyone using information systems to support the agency should understand security risks and employee responsibility.
Additionally, several industry standards incorporate security awareness training. The Payment Card Industry Security Data Standard (PCI DSS) requires formal training programs so that personnel understand the importance of cardholder data. This requirement includes initial and annual training. ISO/IEC 27002 also provides guidance that incorporates a requirement regarding employee data security awareness training. Finally, NIST Special Publication 800-53, a security standard used by federal agencies, incorporates training that teaches the fundamentals to maintain security and respond to incidents.
What are the primary security awareness training topics?
The basic premises of Information-Availability-Confidentiality (CIA) underlie security awareness training.
First, employees need to understand that information includes data and records stored in databases and computer systems. Information security means protecting that information so that no one can make changes. An easy example of data integrity would be Ferris Bueller changing his grades from F’s to A’s. While this sort of data manipulation amuses movie audiences, it can cause financial heartbreak for corporations.
Once your training has explained the definition of information and the value of protecting it, you need to ensure that employees understand the importance of availability. Availability in the security arena means providing information, system, and cloud access only to those individuals who need to use the data and keeping data systems running.
Finally, your training should incorporate a discussion of confidentiality. This tenet overlaps with access by restricting availability to a “need to know” basis not only by providing appropriate authorization levels but also by remembering not to share information with others in the organization.
What is customer data?
Customer data falls into two categories. Public information, such as a person’s first and last name, needs to be protected differently from private information such as a person’s social security number or health insurance number. An address, however, may be either public or private depending on how the customer presents the information to others.
Business sensitive information, while not personally identifying, also counts as protected customer data. When organizations choose to keep something private, the companies with whom they share that data need to secure it in a parallel fashion.
Security awareness training teaches employees not only the function but the value of software access controls. If one member of a sales team shares information about prospective customer seeking fedRAMP certification to a friend whose potential client is a competitor, that information breach can put the first company at competitive risk. If that potential customer finds out about the information sharing, they may choose not to buy your service. This business loss may lead to a lost bonus, as well as lost corporate revenue. Making security awareness personal drives home its importance.
What is social engineering?
Security awareness training needs to focus on the human element.
Social engineering exploits human weakness. People want to help others and comply with requests. Social engineering scams, such as eavesdropping or malware, prey upon this natural desire.
In one story, a penetration tester used publicly available information about employees and the company to gain access to secured locations by pretending to be an interior designer and a pregnant woman. Kind people want to help. Malicious attackers wish to use that kindness against them.
Additionally, people worry about their information but are not always savvy. This is how phishing scams work. A hacker sends information that looks worrisome. For example, during tax season, people constantly worry that they will do something wrong and the IRS will audit them. Phishing attacks prey on the underlying fears and either call or email people saying that the government is about to sue.
Security awareness training means helping employees learn to take a moment to stop, think, and review. Something can sound amazing or awful, but both extremes tend to be unlikely. To keep your workplace safe, employees need to stop and think before acting, whether based on good intentions or fears.
How to empower employees with security awareness training?
Security awareness training often relies on instilling the fear of consequences in people. For example, almost every iteration impresses upon listeners the high dollars spent to react to a breach or the loss of business incurred by a hacker exploiting a weakness.
Education can empower your employees rather than scare them.
Employees Control Their Passwords
Slowly, the information security community is embracing the value of passphrases rather than passwords. Instead of a jumble of letters, numbers, and symbols, security experts now suggest phrases that the individual can remember. Since the human mind still cannot be cracked by coders easily, these personally relevant passphrases make it more difficult for algorithms to break into the accounts.
Additionally, employees need to be encouraged and reminded to use multifactor authentication. Whether you require a code sent to a mobile device or a biometric, your organization should be incorporating the importance of multifactor authentication as an easy-to-use security measure.
Employees Control Their Email Security
Not every email can be encrypted. Employees sometimes need the gentle reminder that information sent unencrypted can be intercepted. Sending attachments that have sensitive information risks that data’s safety. Security awareness training needs to empower employees so that they realize they can protect their interests as well as their clients’ interests. For example, if an employee would openly send their social security number in an unencrypted email, they may not recognize the danger.
Everyone uses email for personal and professional reasons. Reminding employees of personal safety concerns helps them remember the professional responsibilities as well.
Employees Control Their Browsing Practices
The internet may be a magical place of information, but it can also be a dangerous place for trolling. Employees know that when something looks sketchy, it is not work-appropriate. However, phishing scams make websites that look official and trick people.
Make sure employees understand that they can check the email address hidden underneath a sender’s name. That email from Amazon may be something with an @marketingsnrs.com behind it. Also, remind employees that they have the power to see the links embedded in hyperlinks without clicking through to a corporate website. That Bank of America link in that email may lead to something that says www.bankofamerica.login.com or www.bnakofamerica.com. These small changes are the sign of hackers attempting to install malware on your systems.
Whether you choose to purchase a security awareness training course or create an in-house security awareness training module, teaching employees to protect themselves and empowering them is one of the best ways to ensure that they remain aware of security.