Are your employees trained on how to keep confidential information safe? Information security and privacy rely on employees taking the right actions to safeguard this valuable asset. An awareness training program may be just what your company needs to tighten its security and privacy strategy.
In fact, clearly communicating your security policies and training your employees are among the most effective security controls that you can implement.
What is the least bang-for-your-buck security control that you see implemented?
“Training. Investing in your people will always beat your tools. It is a common misconception that you can buy your way secure. As you can see from common statistics, that idea isn’t working so well. There is nothing on this planet that can beat a dedicated and educated member of the team.”Chris Nickerson, a co-founder of Lares with 20 years of experience in the infosec space, as quoted in the book Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity
However, not all awareness training programs are created equal! There are many different approaches and philosophies out there. Those can be more or less appropriate depending on your specific circumstances. Read on to discover what to consider when creating a security and privacy awareness training program to adequately cover all of your company’s needs.
A strong security and privacy awareness training program will go a long way to supporting policies or wider strategies for keeping your company’s sensitive information safe. Training is also a topic that customers frequently ask about during vendor security assessments.
The best training programs consider your industry, business specifics and employee demographics, then craft a customized program around each of these features. Before you roll out a training program to your employees, consider:
Security and privacy mean different things in different industries. While every industry handles data and sensitive information, there might be different best practices around how these assets are handled. Therefore, develop an awareness training program that considers industry-specific influences such as:
Although business concepts are fundamentally the same, business operations tend to display many idiosyncratic features. You’ve spent time developing your business processes and curating the tools you need to make those processes work. Likewise, your business will have specific needs and priorities that a security training must address. For example, consider:
Best practices are only effective if they’re actually practiced – employees need to be able to carry them out. Take into account your employee’s skills, limitations, and work environment. Often, best practices get sidelined for several reasons:
Considering your industry, business, and employees will give you a framework for your security and privacy awareness training program. However, to maximize its success, there are a few other things you should do.
Why should employees care about adopting best practices? Make sure to answer this question instead of simply instructing employees to simply undertake new processes or behaviors. Doing so creates a space for conversation, thereby encouraging engagement.
If you’re adopting new security and privacy policies due to legal compliance requirements, it might be tempting to take up the jargon associated with the law. However, doing so might alienate and confuse people. Instead, explain things like compliance or security best practices in plain English, and define any concepts that cannot be efficiently communicated without using technical terms.
Keep your training program action-oriented, focusing on what you need your employees to do. Don’t bog them down with background information, unnecessary details, or tedious philosophy lectures. Likewise, capitalize on employee attention spans by keeping the training short – no longer than 25 minutes.
Information security and privacy concern all levels of the company. Include everyone, especially senior management. This sends a strong message that the company is committed to developing a culture of security and that managers do indeed take security as seriously as employees are expected to.
Positive reinforcement goes a long way to changing behavior – research generally agrees that we prefer rewards over punishment. Therefore, consider incentivizing the adoption of new security and privacy policies by rewarding instances where it’s noticed. These can be small incentives, such as public recognition or larger rewards for things like bringing a security risk to your IT department’s attention.
A security and privacy awareness training program can go a long way to making a company safer and more productive. However, it’s important to implement appropriate practices and training strategies to get the most out of a program. Each company is unique and therefore will have unique needs to consider when developing a training program. These tips can help you get started planning and carrying out a successful company training program to keep your most sensitive information safe.
Do you have the policies and awareness training you need to protect your company?