How would you approach improving the security education training and awareness in an organization you know well (e.g. Temple as a student) but you will not name in your answer post and comments?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Andrew Young says
To improve security in my chosen familiar organization, I would want to first make sure that training is carried out in person. In my experience, online training can be ineffective and trainees can be distracted from the subject matter easily and be encouraged to take it less seriously. In my experience, carrying out in person training provides a much more direct and clear message for the trainees to understand not only the risks associated with these hazards, but also the ways to prevent them. These trainings should occur yearly. I would also advise running phishing tests by sending out IT controlled emails to see if and how often users are falling for phishing emails. This can be done monthly to evaluate preparedness. I also would advise that any and all current threats be advised upon via batch email. Letting users know that there is a possible phishing email or security risk circulating is critical to stopping possible breaches before they occur.. These are just some of my advised revisions to policy in the organization I am familiar with that I believe can provide a wider safety net for users and the organization as a whole
Ikenna Alajemba says
Yes. In person training could be taken more serious but rate businesses moved on during the pandemic makes more difficult to convince both employees and most employers the effectiveness of in person training especially on phishing campaigns.
Erskine Payton says
You must start at the top. Executive Council Once you have full buy in, you want to get senior management involved. Once you have that, depending on the company. This is a more family-oriented organization, philanthropy. My approach would equate security like you are protecting your family from harm. As I mentioned before, there needs to be policy in place that makes security paramount, and no one is exempt. I would request Senior level executives work with the Security team and maybe conduct a PSA like message or have pictures of them participating in the training. These types of messages motivate the staff as well as show that if someone so busy can attend training, so can you.
Ikenna Alajemba says
Security Awareness and Training ought to be carried out in accordance with the prerequisites of the organization’s information security awareness program. The dissemination of awareness education can take place in a variety of settings, including traditional classrooms, web-based platforms, self-directed study, and others. I will approach the training using real time demonstrations when needed. The Following practices will be included in the program:
1. Interactive Training Courses will be provided.
2. Simulated Phishing Attacks with employees involved.
3. Test Results will be Compiled and demonstrate ways to improve.
4. New Policies Implement and Enforcement.
5. Employees will be retrained Regularly.
6. Employees, management and Business owners will be Consistent and Stay Informed.
Jeffrey Sullivan says
I like how you integrated the security awareness program as a prerequisite, thanks clever. That way you get the same moral coming into the new training. The variety that you pointed out I feel is effective as you are hitting on all points, ex web based and traditional classrooms etc. Simulated Phishing attacks seem to be popular but are also effective as we spoke about in class this week. A great ending is the ongoing training of all employees to keep them consistent and informed. I’d like to know what incentives you would be offering as that would get more people on board and boost morale in my opinion.
Alyanna Inocentes says
Hey Ikenna,
Interactive training courses can significantly improve cybersecurity education. I believe these courses can aid in better retention of information as employees engage actively with the material.
Regarding simulated phishing attacks, I find it somewhat surprising that your organization hasn’t implemented them. Typically, I’ve seen smaller businesses skip this due to costs. However, considering that phishing is the most common method of cyberattacks, I believe every organization should incorporate phishing education. The potential financial losses that your organization could face is a scary thought to have. They should definitely listen to your advice and implement simulated phishing scenarios as soon as possible!
Jeffrey Sullivan says
If you know an organization well, then that gives you a leg up on improving the security education training and awareness as understanding user behavior and motivation is key to a successful SETA program. First you must take a two-part approach to this, be an evangelist and leader, like stated in earlier weeks, it’s all about effective communication and business continuity. I would implement proven techniques and strategies in modifying user behavior whenever possible. There are three levels to behavioral management:
1. Individualized level where support is proved one on one
2. Classroom or group support can be referred to as business units.
3. Organizational wide support. This addresses general security awareness topics that are common across the entire organization.
I would then make each user feel relevant and connected to the subject matter. This way you get buy-in along the whole way which then in return makes it a successful education training and awareness program.
Kelly Conger says
Good stuff Jeffrey, I especially like your emphasis on the importance of understanding user behavior and motivation when developing a SETA program. This is essential for designing a program that is effective in changing user behavior. I also agree with your point about the importance of communication and business continuity. It is important to communicate the importance of security to all employees and to make sure that the SETA program does not disrupt business operations. Finally, I agree that it is important to make each user feel relevant and connected to the subject matter. This will help to ensure that employees are engaged in the SETA program and that they are more likely to retain the information that they learn.
Erskine Payton says
Agreed on knowing the client give you valuable intel about what is important to them. Using this you can craft your training surrounding how the company operates which is a very effective. This way makes the training less intimidating making the users more comfortable with learning something new. Knowing you audience is important so putting out the right type of messaging can go a long way in educating staff. Great points!
Akintunde Akinmusire says
To enhance security training, quarterly phishing tests would be conducted to assess employee vigilance. Those who fail would be required to retake the course within a certain period. Interactive, real-life scenario-based courses and entertaining games would also be introduced to promote practical knowledge and awareness of security threats. Additionally, monthly email updates would inform employees of new threats and reinforce best practices, promoting a more security-conscious culture
Unnati Singla says
Hi Akintunde, great points there! I would also emphasize the importance of maybe quarterly in-person training that will be more effective. Sometimes, people might miss the emails or phishing training. I like the idea of making it something fun like a game, I would also incentivize employees to participate by providing some gift cards for the participants/winners.
Kelly Conger says
I would start with a basic security assessment training class. You need to know how much your employees know about cybersecurity in general before providing more detailed training classes. This course could cover topics such as password hygiene, phishing awareness, and social engineering. After this you can start to provide more specialized training such as incident response, data protection, and risk management. Create a security awareness campaign that includes posters, flyers, and social media posts. This campaign could help to keep security top-of-mind for employees. Host regular security awareness events, such as guest speakers and workshops. These events could provide employees with an opportunity to learn more about security and ask questions from experts. Create a security rewards program to recognize employees for good security practices. This program could offer prizes, such as gift cards or swag, to employees who complete security training, report security incidents, or implement security best practices.
Alex Ruiz says
Kelly, your approach to improving security education training and awareness in your organization is comprehensive and proactive. In addition to these steps, it might be beneficial to regularly update and adapt the training content to address emerging cybersecurity threats and trends. This way, employees stay well-informed and prepared for the latest security challenges. How do you think organizations should strike a balance between maintaining a strong security culture and not overwhelming employees with too much information? Also, Swag.
Michael Obiukwu says
Improving the security education training and awareness in an organization is paramount as the journey towards data security compliance and consciousness is a continuous process. Any organization, no matter how secure its safeguards, is only as safe as its least educated member.
The first step would be to foster an ongoing security education culture. This includes not only initial training but regular updates, reminders, and opportunities for continual learning. By emphasizing the importance of cybersecurity and reinforcing this message, team members will be more likely to integrate secure behaviors into their own procedures.
Furthermore, another significant part of the solution would involve providing tailored security education training, whereby lessons are designed in accordance to the specific job roles and responsibilities each staff member undertakes. Employees are more likely to understand and retain information relevant to their role, reducing the risk of potential security breaches.
In addition, employing real-world simulations and scenarios in the training can be an effective strategy. When staff can understand and visualize potential security threats, they can better navigate and manage similar situations in their daily work.
Lastly, creating a robust reporting culture whereby employees are encouraged to report potential security threats without fear of repercussion ensures that even minor issues are addressed before they balloon into significant problems.
Ultimately, the balance between having robust security systems and improved security education training is key to ensuring an organization’s resilience against the growing threat of cyber attacks. By focusing on the human element of security and investing in training, organizations can reduce their vulnerability and strengthen their overall security posture.
Chidi Okafor says
To enhance security education, training, and awareness in an organization I’m part of, I would begin by conducting a survey among employees to assess their knowledge of IT regulations and standards within the company. Based on the survey results, I would develop a comprehensive training program that is mandatory for both existing employees and new hires. This training would include concept videos, in-office workshops and interactive solutions.
Additionally, I would establish a regular communication plan, sending out emails with updates on security news and recent breakthroughs in security protection. These emails would also serve as reminders, notifying employees about upcoming password changes and the risks associated with phishing emails. This multi-pronged approach aims to improve overall security awareness and knowledge within the organization.
Akintunde Akinmusire says
Hi Chidi,
I agree with you concerning the survey because one can easily assume that the people you are familiar with in an organization will be security conscious. With survey, opinions of people will be well curated about security in an organization while being anonymous. The anonymity will also help because accurate results would be gathered without the respondents worrying about their identities being revealed.
Marc Greenberg says
Make systems and processes as simple and user-friendly as possible.
• Help employees understand why their security habits are important.
• Motivate workers to protect the business and empower them to make the decisions necessary.
• Use multiple departments to help put in place security behaviors; Hold employees accountable by rewarding the good and confronting the bad.
Andrew Young says
These are all great points! I would also add that using top-down methods, such as simulated phishing etc. are very useful in practically testing and evaluating what areas need to be re-iterated on by training and policy information. Understanding how and where to test vulnerabilities, especially unpredictable user vulnerabilities, will increase overall organizational security and allow for a more comprehensive approach to not only training, but asset security as a whole
Akiyah says
One significant challenge in many organizations is the existence of departmental silos. These silos result from different departments using various software tools to access data, which can lead to knowledge & security gaps, and additional vulnerabilities due to the many access points into the system . To address this issue, I would prioritize breaking down these silos to encourage collaboration and alignment.
To enhance security education within an organization I’m familiar with, my approach would involve engaging key stakeholders from both the business and IT departments. It’s essential to establish a unified vision for security across the organization. This shared vision ensures that all departments and stakeholders are aligned with respect to security goals and best practices.
Once collaboration and alignment are established, the next step is to conduct a comprehensive assessment to identify security risks. This assessment involves a thorough analysis to pinpoint potential vulnerabilities and threats that are specific to the organization’s unique context.
To mitigate these identified risks, we would create tailored security training content designed to address the organization’s distinct needs and challenges. The ultimate goal is to systematically bridge the gaps in security training. Leveraging the expertise within the organization, we can develop and deliver training materials that specifically target vulnerabilities and enhance overall security awareness.
By following this approach, we can ensure that our security education and awareness efforts are well-coordinated, comprehensive, and customized to meet the organization’s specific requirements. This collaborative approach not only breaks down silos but also improves communication and cultivates a culture of security across the organization.
Taking a holistic approach that considers the organization’s current information needs and existing systems equips individuals to provide effective top-down training to all employees.
Alyanna Inocentes says
An improvement in my organization that could assist in enhancing the security education training and awareness is conducting the following:
a. Selecting an advanced phishing simulation provider that allows us to run scenarios involving impersonation of other organizations. By presenting the organization with scenarios that simulate interactions with external emails from various vendors and companies, we can enhance user awareness and vigilance.
b. Streamlining the Implementation of Cybersecurity Enhancements. While cybersecurity enhancements often require approval from higher-level leadership, the prolonged implementation timeline, typically spanning 3-6 months, forces us to persist with suboptimal processes.
c. Enhancing phishing awareness training for users who frequently fall victim to phishing attempts. While there is existing education for users who don’t pass phishing simulations, I recommend keeping these scenarios up-to-date to provide users with the most relevant and current information. New phishing techniques are constantly emerging, and it seems we’re primarily addressing the more common methods of phishing. I believe we should focus on raising users’ awareness about all possible phishing tactics, ensuring they are prepared for any potential threats.
Marc Greenberg says
I agree your answer the training aspects. You need make sure that the training is simple and easy for all to follow. Also make sure that employees are accountable for their actions and find ways to make sure they have incentives to make sure they follow.
Alex Ruiz says
Well to improve security education, training, and awareness in my organization I’d start with a thorough assessment of the existing program, and analyze it to get it’s strengths and weaknesses. I’d also need to get support throughout the organization starting with the top to figure out the specific needs and establish a clear objective that focuses on reducing incidents and improves upon user awareness while also fitting compliance requirements. Making custom training plans would be the next step and will need to be interactive and engaging that fits with the organization’s specific risks and position. Creating a clear line of communication with reinforcement for how important security awareness is would improve user compliance as well as having a good incident response and feedback portal. I’d conduct several regular simulations as well as tests to further analyze the effectiveness of the SETA program and continually update it for further improvement.
Ashley A. Jones says
Alex, your customized approach is most ideal! Your point on good incident response and feedback loop is so important since there are many times that people in upper management positions can get stuck on only giving feedback or responses when something is incorrect. However, this does not give employees the motivation to keep learning. It does the complete opposite and discourages the employee from going anywhere near that thing that they only get negative feedback on.. positive reinforcement and positive feedback loops are a staple when imploring employees (or anyone who needs to participate in any thing) to actively participate and stay motivated (simply by osmosis, in many cases).
Unnati Singla says
In an organization that I know well, I would recommend increasing the frequency of training and infographics that are circulated throughout the office. I have personally noticed a trend where multiple people use their personal devices for work, as well as allow other people to use company-issued laptops for certain things.
I believe that this kind of training should happen in person where everybody’s involved in some kind of activity or a game, which is also educative. This increases personal interaction as well as absorption of the material. I think it’s also important to understand that some individuals might need one-on-one support such as some of the older employees who are not that familiar with computer technologies or threats to the system.
I would also recommend reiterating policies of device usage, such as policies on downloads or third-party application installs, or connecting to certain networks. It is important that the employees understand how these problems can create risk as opposed to just learning how to prevent them.
Ashley A. Jones says
In an organization I know well but will not name, I would essentially do everything that I mentioned in my answer for number 1 focusing heavily on communication and the communication plan. I would sit down with the CEO and Business Consultant, who are the only upper management personnel in this case, to get a verbal understanding of the organization’s mission and physically map out the company’s IT infrastructure in conjunction with real time issues they are experiencing. Based on this, I would address where their concerns are and suggest where they should lie then we can go over the fundamentals of the program and cost associated with the business to roll out a feasible program. I know that this organization is small, fully remote, all employees national, with no company devices. All of the company data is stored on the cloud and regularly accessed via employee’s personal computers. The business is structured to cater to independent contractors which means there are constantly employees rotating in and out of the system at various time intervals. Projects can go anywhere from 1 to 12 months. There are also two middle management positions: an Operations Assistant and Executive Assistant who are closer to upper management than the independent contractors in terms of day-to-day work. This type of organizational structure seems difficult to manage without the CEO, Business Consultant (to keep the CEO accountable), Operations Assistant, and Executive Assistant FULLY on board with handing off the baton in regard to communication and implementation. Even with executive support, working with this type of employee setup keeps employees more inclined to turn a blind eye. Though none exists currently, a SETA program, policy, and communication plan with full management support is mandatory.