It’s easy to inadvertently create a rut when conducting any repetitive task. Just as is the case with all training, when it comes to security, it’s important to create and repeat training that keeps employees alert and aware of the latest tactics used by attackers to gain access to sensitive information, systems, and facilities. But why is this important? Why do your employees need security training? And why should you care about a training rut?
The answer is simple. Once your organization becomes a target, all of your employees become smaller, more vulnerable targets. This means an attacker will not only try to penetrate your firewall by hitting it with brute force, they will also target the weakest link and find a way around the firewall. This means they will test each and every employee to see who will unlock the door from the inside.
To be effective, your security training program must be engaging and comprised of the current practices and mindset of attackers. In order to avoid a training rut, your content must continually evolve to support shifting attack trends and an ever-changing threat environment. Failing to adjust your program and content over time leaves your employees ill-prepared to recognize the latest threats and prevent an attacker from being successful.
It is important to remember that any and all pieces of personal and organizational information can be used to gain access to assets and sensitive data. Keep in mind it only takes one sensitive piece of network information or a whispered password from an employee to expose your entire organization.
Consider the following when designing your program:
- Focus on concepts as opposed to specific examples to create an engaging training environment
- Encourage employees to collaborate and use their imaginations and past experiences to identify and discuss vulnerabilities within your organization and potential attack scenarios
- Continually update training content to include current events, relevant topics, and scenarios that resonate with your employees
- Provide an easy way for employees to report incidents such as questionable encounters and suspicious emails
- Continually test employees by simulating vishing (phone calls) and phishing (emails) attacks
- When testing, incorporate creative scenarios and use a wide variety of social engineering tactics
- Test with the intent of less than perfect results as this provides an opportunity to learn and expand your security and defensive measures