Security Awareness Training Program
Awareness of Security concepts at all levels of the organization is imperative in today’s world. Because of that, a Security Awareness & Training Program is one of the most impactful components of an operating Security Program.
Whether the individual is an end user, a system administrator, or the C-Level Security Representative, every person is targeted for what they can provide to an active attacker. So, Security Awareness & Training Programs are most effective with a certain degree of tailoring to the organization they support.
Role-specific Security Training
It is safe to say that all users need to understand the concepts behind current phishing and water-holing techniques. Each role carries with it certain security responsibilities, and each individual needs to understand the security responsibilities associated with their own roles.
End User Awareness Training
End user training should cover basic topics in such a way that all computer users can understand. This group covers the largest ground, so inherently has the largest attack surface.
End User Awareness training should cover topics like:
- Malware basics
- Phishing techniques & what to look for
- Protecting sensitive information (from a user perspective)
- Protecting (and being protected from) removable media
- Protecting mobile devices
- Password & Authentication requirements
- Safe web browsing & Social Media habits
- Personal Device Maintenance (including patching responsibilities, etc…)
IT Professionals & Sys Admins
IT professionals tend to have elevated levels of privilege that are much higher than standard users. If lost, Administrative credentials could cost an organization everything.
In addition to protecting privileged accounts, IT professionals configure software, hardware, and other system components as well as maintain patch levels on those system components. They also handle the day to day system backups, support calls, etc….
Awareness Training for IT Professionals should cover topics like:
- Least Privilege & separation of duties
- Configuration Management including the application of security baselines
- Vulnerability & Patch management
- Their role in the agency Incident Response Plan & Capability
- Organizational Contingency Plan expectations and objectives
Security Professionals
Security Professionals have to train constantly. The IT industry changes every day, and the security landscape is no different – worse in some aspects. So, security professionals have to maintain awareness of new threats, new technologies (and their proper/best practice deployments), updates on security frameworks, recent vulnerabilities, and more in near real time.
Training for Security Professionals should cover topics like:
- Risk Management
- Security Assessments
- Vulnerabilities & their exploits
- Tactics, Techniques, & Practices of threat actors
- Security log Analysis
- Incident Response
Learning Management Systems & Content
The presentation of the awareness materials and the content itself is paramount to the success of the program. Many tools and content providers exist that can help make this happen.
Learning Management Systems
LMS’s can be free/open-source or paid for, and they help the agency manage the Security Awareness program by presenting the content to the users in a role-based fashion. Many LMS’s track and report user progress to assist in agency-wide distribution of awareness content.
Content
There are endless content providers for Security Awareness training materials. Some are free, some are not. However, the important thing is for the content to be effective. Even if training incurs a cost, the result can be a properly trained staff that can recognize an attack before it’s effective.
Accountability
Measures of success are different for various entities. A successful end user awareness training program might manifest itself in the CISO hearing “I didn’t know this…” from an end user.
However, depending on the criticality of your organization’s information or systems, stronger methods might be required. Training reports that are generated during training campaigns can help make leadership aware of individuals that are falling behind in their training. In many instances, the user’s access to organizational systems is tied to their completed Security Awareness Training. In other words, if you don’t train, your access gets shut off.
Negative reinforcement only goes so far though – a truly successful Security Awareness Training Program is one that is supported top-level leadership. If the CEO shows support by completing his or her training in the first week of the training campaign, others will follow suit.
Conclusion
Security Awareness carries different weights and needs depending on an individual’s role within the organization. Whether the individual likes it or not, they are involved in this day to day battle of protecting the organization again malicious actors. Making individuals aware of the techniques that could be used against them provides a first line of defense to the most targeted resource in the industry: people.