Create an Effective Security Awareness Training Program

Loose lips sink ships and companies too

Businessman pressing e-mail security button on virtual screens for internet and e-mail security

 Prasit photo / Getty Images

Does your organization take security seriously? Do your users know how to fend off social engineering attacks? Do your organization's portable devices have data encryption enabled? If you answered "no" or "I don't know" to any of these questions, then your organization is not providing good security awareness training.

Wikipedia defines security awareness as the knowledge and attitude that members of an organization possess regarding the protection of both the physical and information assets of the organization.

In a nutshell: loose lips sink ships. That's really the gist of what security awareness is all about.

If you are responsible for the information assets of your organization then you should definitely develop and implement a security awareness training program. The goal should be to make your employees conscious of the fact that there are bad people out in the world that want to steal information and damage organizational resources.

A good security awareness training program will instill a sense of pride in ownership of your organization's data and resources. Employees will see threats to their organization as threats to their livelihood. A bad security awareness training program will make people paranoid and resentful.

Let's look at some tips for creating an effective security awareness training program.

Educate Users on the Types of Real-World Threats They May Encounter

Security awareness training should include educating users on security concepts such as recognizing social engineering attacks, malware attacks, phishing tactics, and other types of threats that they are likely to encounter.

Teach the Lost Art of Password Construction

While many of us know how to create a strong password, there are still many people out there that don't realize how easy it is to crack a weak password. It's important to explain the process of password cracking and how offline cracking tools such as those that use Rainbow Tables work. They may not understand all the technical specifics, but they will at least see how easy it is to crack a poorly constructed password and this might inspire them to be a little more creative when it's time for them to make a new password.

Focus on Information Protection

Many companies tell their employees to avoid discussing company business while they are out at lunch because you never know who might be listening, but they don't always tell them to watch what they say on social media sites. A simple Facebook status update about how mad you are that the product you're working on won't be released on time could be useful to a competitor who might see your status post, should your privacy settings be too permissive. Teach your employees that loose tweets and status updates also sink ships.

Rival companies may troll social media looking for employees of their competition to gain the upper hand on product intelligence and find out who's working on what.

Social media is still a relatively new frontier in the business world and many security managers are having a hard time dealing with it. The days of just blocking it at the company firewall are over. Social media is now an integral part of many companies' business models. Educate users on what they should and shouldn't post on Facebook, Twitter, LinkedIn, and other social media sites.

Back up Your Rules With Potential Consequences

Security policies without teeth aren't worth anything to your organization. Get management buy-in and create clear consequences for user actions or inaction. Users need to know that they have a duty to protect information that is in their possession and do their best to keep it safe from harm.

Make them aware that there are both civil and criminal consequences for divulging sensitive and/or proprietary information, tampering with company resources, etc.

Don't Reinvent the Wheel

You don't have to start from scratch. The National Institute of Standards and Technology (NIST) has literally written the book on how to develop a security awareness training program, and best of all, it's free. Download NIST's Special Publication 800-50 - Building an Information Technology Security Awareness and Training Program to learn how to make your own.