How would you approach improving the security education training and awareness in an organization you know well (e.g. Temple as a student) but you will not name in your answer post and comments?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Yangyuan Lin says
In organizations I am familiar with, such as Temple University, I would propose to send phishing emails to students and make fraudulent calls to them. Send phishing emails to students to test their ability to identify fraud. For students who click on the link or respond, the school can send feedback to students to let students know the danger of phishing emails, and at the same time, they should let them know how to identify and prevent when they need this situation, and when they receive fraud. It should be handled effectively. (When a person falls in a certain place, he will know that this place is dangerous and pay special attention to it.)
Students who report fraudulent calls or phishing emails can be rewarded appropriately to motivate every student. (A student’s discovery of clues does not mean that every student will discover it).
Elizabeth Gutierrez says
Hi Yangyuan,
We had similar ideas in terms of sending random “phishing” attempts to test individual’s ability to recognize scams and using the data to determine who is practicing cybersecurity. By scheduling these attempts at random intervals, it will eliminate individual’s ability to predict your phishing email cadence. I also think it is important to track behavioral change over time because it can protect the organization from insider threats. The most dangerous threats for the organization are inside the organization who have access to sensitive data with the motive of stealing and gaining financial profit.
Elizabeth Gutierrez says
To start off, in order to improve the security education training and awareness in an existing organization, you have to train your staff regularly, motivate management and employees, re-examine the program’s scope, goals, and maintenance. Communication would be another important factor in my approach; conversations about security would be encouraged. An initial assessment may highlight some unexpected needs and where a company should focus its resources. Next, the IT department could develop a security policy and procedures to be followed by all users and implemented by the HR team. Overall, a well protected company will emphasize the importance of cooperation between employees and the security department. My approach would be to reinforce training on a regular basis to ensure all departments of the company are practicing the best security; training should be clear, relevant, and interactive. I may suggest scheduling phishing and social engineering simulations at random intervals to eliminate employees’ ability to help track behavioral change over time and record how many employees are practicing cybersecurity; based on the report, the organization in mind can encourage more training programs. An organization’s compliance with regulations such as HIPAA, PCI DSS is necessary and can be beneficial because it can help establish best practices and processes that are required by several federal and state regulations while heightening an organization’s security effectiveness.
Shubham Patil says
Elizabeth,
Very modern and effective views on security effectiveness, Effective cybersecurity depends on the very boring practice of asset management — the regular, thorough evaluation of common data sources, their security controls and how users interact with them on a day-to-day basis.
Shubham Patil says
I would make security awareness training a positive experience, most of the employees when they think of any kind of training they picture a dull boring lecture in their mind, Ill make sure to add fun elements like quiz and lunch and learns to the training.
Information security content should be robust, yet approachable and easy to understand from junior level to senior level staff It is interesting when storytelling and real-world events are been told to establish credibility and interest.
I would divide the training sessions to keep them brief and just focus on a single topic per session, these sessions will include training employees about a multitude of essential security topics such as office security, mobile security, use of the cloud, password creation and management, phishing and email security, incident response, and protecting sensitive information as mistakes in any of these areas can lead to hacking, data breaches, and other security incidents.
Yangyuan Lin says
Hi Shubham,
No one likes boring lectures! I like your proposal. Adding some interesting elements, such as the lunch and true story sharing you mentioned is a very good idea. Real stories are always more interesting than boring theoretical knowledge, because stories can stimulate people’s interest in thinking and listen. You mentioned keeping the training short, and I agree with you. Long-term training can make people drowsy and lose the meaning of training.
Oluwaseun Soyomokun says
Since people are the weakest link in the information security chain, particular attention
should be paid to the human dimension through security education training and awareness. To achieve this purpose, One way to help this process is to build employee awareness in information security. Information security is perceived as the degree to which every employee understands the importance and consequences of internal guidelines for information security and motivating participant to take part in the educational training and awareness of information security should minimize the risk of employee behavior since awareness and training are the two most effective mitigating measures for human activities. Interactive plan if adopted as a motivation tactics and keeping it simple would further increase employees participation.