Improving Your Security Awareness Training and Testing Programs

For the past 3 years that I’ve worked at Compass IT Compliance, I’ve had the opportunity to travel the country and meet with various clients ranging from small businesses with less than 10 people to organizations with offices around the world. The main constant that I have noticed with all these organizations is that they want to provide the best services and products to their customers while keeping their information protected. Several frameworks outline and mention the need for a security awareness training program, however, there is no specific guidance on how that can be achieved. I have seen organizations with robust programs that incorporate all facets of the organization, while others are looking for advice on what a good security awareness program should be.

As an auditor, I must determine if employees have indeed received the training, understand and adhere to the content, and if this is sufficient for their role within the organization. Some organizations feel that a 30-minute PowerPoint presentation distributed once a year is considered sufficient, while others have implemented simulated phishing and vishing attacks, social engineering attacks, and weekly to monthly security roll ups, just to name a few. A security awareness program is just that, a program. This should not be considered an annual requirement that needs to be completed to check a block for an assessment or audit, rather it should be an ongoing event that is part of the organization’s culture.

An example that I reference often is the WWII era phrase: “Loose lips sink ships”. This phrase was used on WWII US posters and PSAs explaining the importance of avoiding careless or unguarded talk. Informational posters, some serious and some funny, hung up in common areas that employees will see can enhance user’s security awareness. When a user encounters a situation that may breach security, they may be more likely to remember the funny posters in the break room warning them of suspicious activities, as opposed to a PowerPoint presentation that was given 9 months ago. Any visual aids used should be changed out periodically so that they stay relevant and don’t become something in the background that is ignored after a few weeks.

Another tool that can be used to improve a security awareness program is user testing. This can be accomplished by sending simulated phishing emails that test user’s knowledge and provide management with data on which employees are posing more of a risk compared to others. Many phishing simulation programs are set up so that if a user clicks on a simulated phishing email and provides confidential information, additional training is then triggered for those users that explains why their actions could put the organization at risk. Management should also consider plans of action for users that are failing the simulations repeatedly, as either one of two things is occurring:

1. The user doesn’t care and will click on and go to whatever links that they want; this being the most serious violation, which should be dealt with swiftly
2. Users that can’t or don’t recognize the warning signs of a phishing email and who don’t know or understand how to follow organizational procedures in reporting or identifying suspected emails

While these are only two examples on how to improve a security awareness program, your imagination is the limit. All organizations have budgetary restrictions for projects and the goal is to stay under or within those constraints. The focus of any security awareness program should be for employees to be knowledgeable and well trained to combat the possible strategies malicious actors will utilize to gain access to and compromise data or systems in the organization. Your users are an integral part of the security of your organization and should be equipped to thwart any attacks that they may be presented with.