Designing an Effective Information Security Training

The most vulnerable asset in any company isn’t the network or the application – it is the people. People, being the imperfect beings we are, may forget passwords, forget to lock computers, or fall victim to social engineering hacks. Studies repeatedly show that adults willingly open malicious emails, give away personal information over the phone, and repeatedly give attackers enough information to breach their company’s network. This is why IT Auditors (should) care so much about policies, procedures, and training.

Note: Check out our free Information Security Training here.

Video: John McAfee explains how social engineering likely lead to the Sony breach.

Training is Serious Business

From my experience, most companies take a lighthearted approach to information security training – usually in the form of online training (or even a SurveyMonkey quiz). In general, these methods “check the box”, but do little to give employees the tools to defend themselves from hackers and phishing scams.

The most effective training sessions are typically in person, show real world examples, give clear and concise examples (like our previous post on strong VS weak passwords), provide a demonstration (often by social engineering the group in real time), and clearly communicate the consequences of violation.

Further, if an organization wishes to be truly pro-active, they should create a culture of security. This is where the internal auditor could possibly get creative in helping management identify areas that could be improved and creative ways to incentivize employees to take ownership of the responsibility to create a secure workplace.

These are the type of value-add suggestions a consultant or auditor can give to clients.

IT Audit Considerations

Training Controls:

1Employees complete Information Security training on a semi-annual basis. Upon completion employees sign the Information Security Agreement indicating that they have received the training and agree to abide by the companies policies.

What to look for in Good IT Security Training:

1The training should cover technical topics like social engineering, phishing, and spamming by explaining to employees how to spot scams and what actions to take when they do.
2Includes office etiquette including clean desk policy, disposal of paperwork, and revealing sensitive data.
3Includes recent trends and real world incidents like the Target, Sony, and Home Depot data breaches to provide context to the real world implications of IS Security.
4Includes details on how to report a security breach to management (a hotline, online form, or IT representative’s email).
5Covers details regarding technical communications including email, file transfer methodologies, etc.
6Best practices around online privacy including usage of social media and blogging.
7The training should cover the Companies major information security policies and where to find them (i.e., data classification policy, email use policy, physical security policy, access policy, etc.).
8If possible, the training should include live demonstrations that make a lasting impact on the participants (i.e., real time social engineering, phishing emails, etc.)
9The training should cover physical security safeguards including methods to report suspicious activity and to protect hardware (like their laptops and cell phone).
10The training should include the consequences (to the employee and company) of failure to follow IS policies.

Any suggestions on making policies and training more effective?

Leave a Reply