What Is It?
Security Awareness Training is a tool used to help your employees understand the myriad of nefarious attacks that they (or their company) could be subjected to while doing business on a day to day basis. Basically, you’re trying to make your employees aware of security. I think it’s important to note that security, used in this instance, can relate to:
- Administrative – Are policies and procedures written for all important business processes, and are they reviewed annually? Are all regulatory and governmental requirements met where necessary?
- Physical and Environmental – Are the building, it’s inhabitants and the assets within secure? Are cameras in place and working? Are there locks on the doors? Can only the approved persons access sensitive data? Is there sufficient fire suppression in place?
- Logical – Are password controls suitably used? Is the principle of least privilege appropriately applied? Are terminated users removed from material systems in a timely manner?
Not only will the use of Security Awareness Training minimize your company’s exposure to hacking, phishing, vishing and other threats, it will also help you conform to multiple audit and regulatory compliance requirements.
The training itself can be applied in multiple ways: in person, periodical emails, posters or other visual aids in the workplace, or via online training.
- In Person – Classroom or lecture style training is effective, however can be very time and/or cost intensive. Each new hire to a business, along with any current employees who might have changed to an IT-focused department, will need an introductory set of Security Awareness Training sessions. Combined with the fact that most regulatory requirements state the need for annual refreshers and updates to this training means that this style can have a heavy resource demand.
- Emails – Monthly or weekly tip-style emails are an efficient and cost-effective method of ensuring you reach each of your employees with training. Email groups based on department or responsibility can also be a valuable tool to direct specific messages and training to those who most need it. However, the downside to this method is clear; emails can be easily deleted, forwarded to Trash or even blocked completely. Seeing that the average person receives around 80 to 90 emails per day, email training may not be the best method to be certain that your employees view and comprehend important security tips and reminders.
- Posters or Other Visual Aids – Posters (many examples can be found on KnowBe4’s site at the bottom of this page) are great at conveying a message to users in an office setting, especially ones that are eye-catching and informative. An obvious drawback to this style is the nature of the aid: an employee needs to be in an office to get the message. Another issue is that this sort of training may not always meet regulatory or governmental requirements due to it being a passive method of information transfer versus one that requires employee feedback and can be easily updated.
Does My Company Need It? Why?
In short, yes. In some form or fashion, most (if not all) businesses need some sort of Security Awareness Training. Making sure your employees are aware of your business’ security efforts, as well as have an understanding of their requirements will help them efficiently and effectively complete their job while keeping security in mind.
Not only do businesses need training just for efficient day to day operations, many regulations require some sort of Security Awareness Training to maintain compliance.
- PCI DSS §12.6 – Make all employees aware of the importance of cardholder information security. Educate employees. Require employees to acknowledge in writing that they have read and understood the company’s security policy and procedures.
- Sarbanes-Oxley (SOX) §404(a).(a).(1) – The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C 78m or 78o(d)) to contain an internal control report which shall – state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.
- Health Insurance Portability & Accountability Act (HIPAA) §164.308.(a).(5).(i) – Implement a security awareness and training program for all members of its workforce (including management).
- Federal Information Security Management Act (FISMA) §3544.(b).(4).(A) and (B) – Securing awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks.
As well as state specific privacy laws, such as the states and their laws below:
- Ohio IT-15 – (Security Awareness and Training) mandates that agencies put system users, be they employees, contractors, temporary personnel or other agents of the state, through annual security awareness training.
- Florida 282.318 – Includes mandatory cybersecurity training for state
- North Carolina N.C.G.S. §147-33.110 – Requires each agency to provide training and annual assessments of cybersecurity issues on an agency-by-agency basis.
How Do I Make It Happen?
There are just a few steps involved in creating and maintaining a Security Awareness Training program that will both satisfy your regulatory needs as well as keep your employees efficiently updated on the current security environment.
- Create a program if one doesn’t exist. The National Institute of Standards and Technology (NIST) has created a fantastic resource named the Special Publication 800-50 that can be used to help create a Training Program from the ground up. It’s not a short read at 70 pages, however is a great primer to getting started.
- Once the program is created, it will need to be managed and maintained. The education will need to be given annually to all employees, and to be most effective, will need to be refreshed with up-to-date information as often as possible. This can be a big task for smaller companies, so companies such as KnowBe4 exist to help you get up and running as quickly as possible. KnowBe4 has an integrated platform with interactive training, up-to-date videos as well as end of training quizzes to ensure information was effectively absorbed.
- Maintain record of training for regulatory purposes.
Hopefully this will help you determine if a Security Awareness Training program is needed for your company, why it is needed and how you can get one running at your company. If you have any questions, or would like to speak to us about KnowBe4, drop us a line or give us a call!