Freedom through Security Training

SECURITY AND AWARENESS TRAINING; A PRIMER

Introduction

The Ponemon/IBM Data Breach Study of 2019 notes that  human error is the root cause of 24% of all data breaches.  Further, as the report notes, lax employee behavior often contributes to malicious criminal activity. This can mean that up to 75% of data breaches can be mitigated by better security awareness and training efforts. This staggering number clearly points to the need for all employees to exercise better data hygiene.

As security experts for over 15 years, Techumen has witnessed that people in?uence security more than technology or policy, and that cyber-criminals know how to exploit human behavior. Security and risk management leaders, therefore, must invest in tools and training efforts that increase awareness and in?uence employee behavior.

If better security and awareness training was available through the entire organization, the number of breaches and associated damage will be dramatically lessened. Inevitably, there must be different approaches for security and awareness training since  everyone in an entity can benefit. This vision should  not be limited to any specific employee groups such as front-line or back-office workers. Instead, everyone in the organization, even including IT experts generally thought to be fully aware of risks, must be security aware for the roles they perform and therefore trained appropriately.

What exactly is Security and Awareness Training?

The term “security and  awareness training ” is commonly used to refer to a broad range of education, communication, and behavior management activities and learning outcomes. These activities and outcomes include:

·       Complying with regulations, procedures and policies

·       Supporting disciplinary actions

·       Increasing employees’ knowledge and competency concerning threats, risks and security options

·       Changing and maintaining employees’ security behavior and building a more security-aware culture

The approaches for security and training can include:

·       Direct behavioral conditioning — such as anti-phishing projects

·       Specific programs to reduce developer error , for example through secure coding training efforts and purchase of tools to identify risks prior to new system deployment

·       Breaking down of IT silos through better coordination and training activities. For example, the Program Management , IT operations, Software Development and Information security functions must work in tandem to identify security weaknesses in proposed systems before work begins. This is often a major weakness in most organizations and can be easily rectified through training.

·       Understanding that  emerging data-intensive initiatives such as “data analytics”  require careful inter-team coordination and specific training for  end-user responsibilities.

·       Internal marketing campaigns involving posters, competitions and advertising style messaging.

Conclusion

Solutions with different objectives for security education all share the goal of supporting enterprise requirements for the management of security risks. Security education can ful?ll multiple objectives and requirements. However, training and awareness must:

?        Provide the right content for the right people ? Identify target audience for security training . This means mapping out the core body of knowledge to identify the appropriate level of training

?        support role- and performance-based security needs  including technical training,  management training  and community outreach

?        Deliver knowledge- and skill-based training by personnel who are both qualified security professionals and experienced trainers.

At Techumen, we are both skilled at security and in training delivery using various formats and targeting multiple different employee groups. Training courses, exercises and tests will all depend on the type of training required. There is no one-size-fits-all approach for security training. Instead, a comprehensive “security training” plan must be developed and tailored for each organization.