Elements of Quality Security and Privacy Awareness Training

Patrick Hughes
Sep 3, 2020 3:00:00 PM

As information technology professionals, we often hear the term security awareness training. Most organizations know they need to be conducting continuous security awareness training, whether the goal is to check a box for a framework/regulation they must adhere to, or they genuinely want to become more aware of their security risks. However, often times organizations will distribute a PowerPoint presentation that no one really reads or better yet, throw it up on the big screen during lunch when no one is paying attention. Security and privacy awareness training can and should be engaging for the people going through the training. What format should the training be distributed in? What elements are necessary to include? Should there be a test or quiz afterwards? How often should it be performed? We will get to all those questions shortly.

First, I would like to stress the importance of quality security awareness training by pointing out that the majority of security breaches are a direct result of a mistake made by an employee that was unaware of the error at the time. This may include clicking on a phishing link or giving out information over the phone that they should not have, or having their passwords compromised. An organization’s greatest defense against security threats is their employees. Your company can have the best, most expensive security controls in the world but if your employees are not trained properly, they will continue to pose the greatest security risk to your company.

What should your security and privacy awareness training look like?

The actual format of the training itself does not matter as much; the focus is making sure it’s engaging. You can administer training in person, virtual, via PowerPoint, or through a variety of other tools that are used for these types of trainings. My primary recommendation would be to make sure there is a way to easily track which employees have undergone the training. When it comes to the actual contents of the training, there are a couple key items that should always be included. You will also want to add some relevant information and examples to reference today’s atmosphere. The world of technology is always changing, and with that comes new threats every day. It is important to stay on top of potential new threats and include them in your training. As for elements that should always be included, I recommend starting with the big three: confidentiality, integrity, and availability of data. Confidentiality is protecting information from unauthorized access and disclosure. Integrity is protecting information from modification. And availability is preventing disruption in how information is accessed. Understanding those three elements can help employees understand what they are protecting and how they are protecting it.

Next, I recommend talking about the most common security threats. These may include phishing attacks, ransomware, imposter scams (social engineering), etc. It is great to include real world examples of recent security incidents, such as a recent ransomware attack that took place at another organization and what led to the attack. Every security awareness training should include some information about password security and best practices for passwords (do not share them, do not write them down on a sticky note, etc). Finally, I would include anything relevant to your business model. Depending on what your organization does, this can vary drastically.

Tying it all together

So, you perform your new and improved security and privacy awareness training to all employees; now what? If you wanted to do a short quiz on a couple relevant questions to make sure employees fully understand the key concepts, that can be a great idea. Be sure that you are keeping track of the people that have undergone the training. I always recommend performing security and privacy awareness training at least annually and upon new hire for ALL employees. Employees do not need to be experts on security, but having a workforce that is aware and better equipped to recognize a threat could save your organization thousands to millions of dollars in the long run. Knowledge is power, and with the ever-evolving world we live in, it is important to keep your organization up to date on relevant threats. Contact us today for more information or assistance with establishing or enhancing a security and privacy awareness training program!

Subscribe by Email

No Comments Yet

Let us know what you think