How would you approach improving the security education training and awareness in an organization you know well (e.g. Temple as a student) but you will not name in your answer post and comments?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Jill Brummer says
I would conduct a short survey asking what isn’t working and what changes users would like to see. I would also look for training that is more relatable to the average user. If the program uses very technical words, the basic user might get lost and not be able to apply the concepts to everyday scenarios. The trainings should be short (5-10mins max) in order to not disrupt daily duties and activities. There should also be accountability for users completing the training. One, the training should have some sort of interaction where the user taking the training has to prove they understand the concepts or intent of the training. These could be quizzes or questions throughout the training that the user has to score a certain percent correct, in order to move forward and complete the training. There should be someone that is responsible and assigned to monitor training completion from the time of new hire throughout the users time employed. The dedicated monitoring person needs to follow through on users that haven’t completed training. There should be repercussions for not completing the training. Lastly, the training should be updated/tailored as time passes to make sure new concepts and hot topics are communicated.
Abayomi Aiyedebinu says
I agree with you that there should be repercussion for non-compliance with completion of training because a lot of employees usually disregard IT training needs especially claiming that it is extra time that would affect their productivity.
Christa Giordano says
Hi Jill,
You make some very good points regarding training. I like the idea of getting feedback from the employees as they will have insight into what is effective and not effective in terms of format and content, also what skills they feel are a little weak. I also like that you brought up the fact that many users do not understand technical speak and to ensure to use language and terminology that resonates with all. As an auditor, we always try to keep this top of mind and to not let too much “audit speak” dominate our communications.
Nicholas Foster says
The first thing I would do is look at what is currently impacting our organization and categorize importance/priority of training based on those impacts. Knowing what the company struggles with the most will help focus our efforts. Next I would engage the users who are already assigned those training and ask for anonymous feedback. People are more likely to express their true and unfiltered feeling when they are guaranteed anonymity. I would keep the survey short and multiple choice asking only relevant feedback that would help to improve the quality of the training and then leave a section at the end for any feedback you’d like to include that wasn’t covered from the multiple choice. Also implement monthly “test” based on what a user was assigned. For example, if the user is utilizing email day in and day out, they would be assigned a phishing email training. To help build on that training, a company sanctioned phishing email would be sent at random intervals. If the user falls for the sanctioned phish, remedial training would be given. If users know there are sanctioned phishing emails that warrant remedial training upon failing and those emails are sent out randomly. Users who value their time will likely pay more attention to all of their emails and report suspicious emails to avoid having to do the remedial training thus increase compliance. Also having a team that is dedicated to those reports is important. Users utilizing the report phishing feature should have a way to do so that is very easy (a press of a button) like a addon. As well as feedback for the item the reported as phishing. If it was phishing, obviously you would get with that user to see how they interacted with the email before reporting it. However, if it was not a phishing attempt, reaching out to the user and asking why they felt it was phishing and then explaining how it does not qualify as phishing will help to eliminate false positives.
Abayomi Aiyedebinu says
Nicholas i agree with your point on remedial training if an employee constantly falls for phishing test email. Because majority of the cyber-attack past and present were as a result of employees falling for phishing email. A good example is the target POS data breach through their vendor HVAC. There is need to properly train employees on the need to trust but always verify before clicking links in email attachment .
Abayomi Aiyedebinu says
I would conduct periodical test and survey to see how employees are adapting and adhering to security awareness training. The test would be random phishing emails to see if the training deliverables were followed. In addition to that training and active learning will be a part of the sensitization program it could be done twice in a year so that it can be effective and efficient. The IT department should develop IT security policies and procedure to be followed by employees and the same should be communicated by the HR department to especially employees and new hires about the Companies information security policies, how incident are reported and handled, Organizations policies with regards to PHI and PII’S. Since oft times internal threat is usually existential consequences of internal data breach and misuse of companies IT infrastructure has to be communicated to employees and new hires so that can serve as a severe reprimand to those who intentionally abuse or exploit inherent vulnerabilities.
Jill Brummer says
I agree with conducting periodical tests and surveys, as long as they are short and not time consuming, otherwise there may be push back from non-IT employees. I think training and active learning should be done more than twice a year, due to things change quickly and constantly in the IT/cyber world. Additionally, if only done twice a year, employees may not remember and may not think the training is important if only done twice a year. I like that you also mentioned the HR department being involved since they process new hires and can communicate the policies.
Nicholas Foster says
Hi Abayomi,
I too put survey’s for feedback on training. But to Jill’s point, it is pertinent that we make said survey’s as easy as possible. By just leaving it open ended, you’re likely to not get much if anything of value. Instead, as I mentioned in my post, leverage multiple choice answers with tailored questions you want answers to. Things such as “Did you find this training helpful” with multiple choice answer of agree/strongly agree/disagree/strongly disagree. This allows the user to pick from a list of predefined answer with ease. The faster and easier the survey, the odds of it being more concise increases.
Shepherd Shenjere says
The first step is to ensure that the current program is helpful, and the employees understand it and can pick things like phishing emails if a simulation is run. Upon getting any feedback necessary, the next step is to determine the gaps available. Then the next step is to prioritize the actions I would implement while being guided by the feedback received
Christa Giordano says
One organization that I know well has an acceptable use policy and has standards outlining expected behaviors and controls. They have also recently moved from a cadence of training on an annual basis to quarterly which is helpful. I think the organization should provide more awareness and take advantage of the company newsletter for reminders and implement feedback mechanisms for employees to rate the training received. The organization has metrics in place, but the results of the metrics are not widely shared. I think distributing the metrics will help the employees take ownership of their role in good cyber hygeine practices.
Kenneth Saltisky says
Hi Christa,
I would agree that distributing metrics related to feedback and organizing them in some capacity would help in understanding not only how effective the current training solutions are but also help to take ownership of their role. In general, having the information available to all employees would help further other employees’ understandings of other roles within an organization.
Maxwell ODonnell says
I would first conduct an audit of the sorts of information that the company holds, and how that information is being stored. Is customer information being handled by an outside vendor or is it being handled internally? Next, I would need to figure out who now has access to the information and to what level they understand how to effectively keep that information secure. To promote awareness, it is important to highlight to the company that no matter the size or scale, the company may be targeted due to the information they hold, and alert upper-level management that attacks can and have been executed on similar companies. Given, the size of the company and the lack of an internal IT department, it may be an option to consult with an outside cyber security firm to determine what is the best course of action to secure the company. After consulting, all employees and management should participate in the training determined most appropriate for the company.
Kenneth Saltisky says
Hi Maxwell,
I would agree that consulting with an outside cyber security firm would be essential with a lack of an internal IT department, especially since the company more than likely holds some data that someone would be after. This consulting should be approved by senior management and any implementations should be approved by senior management as well.
Matthew Stasiak says
Determining where the most valuable assets of a company lie is definitely one of the most important parts so we can determine who has access and how they’re going about keeping the security of such information. From there we can determine how often meetings and conferences should be set about the ongoing security of the company. Personally, I think it’s best to see the company as always under threat from some inside or outside actor, which is what will make sure that people are always on top of their regimens for keeping the security of the information within the company. Also being able to see what one department of the company succeeded in and had the best results will be a big benefit to the other parts to ensure consistent security and reliability.
Kenneth Saltisky says
Hi Matthew,
I do agree that having the general idea of constantly being under inside and outside threats is essential in understanding the necessity of cyber awareness trainings. However, I would imagine that, if possible, understanding current threats and trying to analyze future threats is more important so as to not waste resources on trainings that are unnecessary.
David Vanaman says
How would you approach improving the security education training and awareness in an organization you know well (e.g. Temple as a student) but you will not name in your answer post and comments?
This is a topic I am very familiar with as I have been in charge of improving the SETA program at my job. This question ties back to the previous two questions nicely. The first step is to identify the topics that need to be addressed and the groups that need to be trained. For me, there were three very different groups to address: software developers & engineers, physical manufacturing staff, and support personnel (sr mgmt, HR, accounting, etc). These different skill levels and job roles needed very different types and levels of training.
The second step was to identify quality sources of training. For the manufacturing staff, basic cyber hygiene was enough and the company was able to purchase a series of videos as part of another security product. The software devs were a much different, deeper, and more technical challenge. They required in-depth dives into specific topics. For them we purchased instructor lead training, resource books, and webinars.
Beyond finding the resources to provide, another challenge with making a SETA program successful is getting budget, time, and buy-in to implement the training program. Without budget, you are hobbled in what resources you can obtain. The best resources are rarely free. Without time and buy-in to utilize the training, it will sit unused. It is important to ensure that managers provide adequate training time to staff and that staff understand the need and benefit of taking the time to invest in the training and learn.
Christa Giordano says
Hi David,
I like the way you broke down the approach to training at your organization, it makes it pretty simple. I agree wholeheartedly with the importance of obtaining “buy-in” from senior management, without their “buy-in” the program will go nowhere. We are currently experiencing this at my job. We are trying to make records and data management training a requirement and part of the training curriculum throughout our organization. Two of our division leaders are currently not supportive of this effort, so we are trying to come up with ways to make them understand the importance, the “so what” and the potential risks and impact involved if records and data management practices are not followed.
Kenneth Saltisky says
In the organization that I am thinking of, there are several points of improvement I would consider. The first is utilizing a consistent schedule of security awareness training among all employees within the organization. The second would be to utilize different formats of training to not only keep employees engaged in their learning but to also be more effective with different employees. Another point of improvement would be a streamlined incident response guide for general employees as it would be essential for all employees to understand how to react when they fall for something malicious, such as a phishing email. To add to this topic, performing periodic internal phishing email exercises would also help to reinforce security awareness topics for all employees.
Matthew Stasiak says
Hey Ken,
I love the idea of white hat testing your own company to see if the training is being properly adhered to. Like what we talked about in class this past week, taking metrics and interviewing employees is the best way of seeing those kind of results and whether or not the training is effective or needs to be solidified and improved upon.
Parmita Patel says
I would start by accessing if what I am provided with is effective. The most important thing about giving training and awareness is the fact if your employees are understanding the information. I would want to talk about if the employees are finding the training effective and if they enjoy it. I would like to put to test if the employees are actually paying attention. I would suggest to make the training more interactive as in click around places, give more realistic situations and give a quiz to test whether they understood what the training was about. If the employees were to fail then they would have to sit through the training again. When using this method it would help the employees pay attention first time around instead of re-doing the training over and over again. I would also have send test phishing emails to see whether someone falls for it or reports it. This will show whether an employee needs more training or not.
Samuel Omotosho says
To improve security education training in an organization, it is important to consider the employees’ welfare and the organization’s needs. The business should routinely train its personnel so that they are aware of changes. It should also review its policies and processes so that modifications may be made as needed. Furthermore, the business should make an effort to integrate security with the company’s understanding of its culture to ensure that all workers are enjoying the training. On the part of the organization, they should provide all the required resources to facilitate the improvement of the training awareness.
Reference
Living Security Team. (2021). How to develop a security awareness training program. Livingsecurity.com. Retrieved 2 October 2022, from https://www.livingsecurity.com/blog/how-to-develop-a-security-awareness-training-program.