If you’re going to use PowerPoint to present security awareness training to a class of students, or perhaps to make a business case to your senior management, here are some suggestions from Seth Godin about how to make the best use of the tool. Written a few years ago, but still highly relevant.
When creating security awareness training materials, it’s tempting to explain to students exactly how they should scan a file for viruses, the steps to take to check an SSL certificate, how to examine the headers of an email …
Don’t.
You have very limited time and a lot of topics to cover. And most of your students will forget any detailed information that you cover. So focus on the bigger picture. Make them aware of the threats, and what they need to do in broad-brush terms. Then provide students with easy access to the “how to” information so that they can find it when they need it.
In my experience, one of the most common ways that security awareness training programs fail is that the content of the awareness/training materials is wrong for the target audience.
The mention of the audience is important here – what’s appropriate for an IT group is seldom useful for a group of average PC users, and what’s useful for the PC users probably won’t be as valuable for workers in a warehouse or distribution center.
But, bearing that in mind, here are four of the ways that I’ve seen programs fail because of the wrong content.
In some guidance documents (e.g., NIST SP800-16), you’ll find a distinction drawn between “awareness” and “training” even though most of us use the words together when talking about education of end-users. There’s actually a good theoretical basis for differentiating between them but, in practice, the value of treating them separately is less clear.
If you’re developing an “Acceptable Use of IT Resources” training course (or even developing the policy itself), this blog post from TechRepublic is a very useful reference. It discusses 10 of the laws that apply to computer users (in the USA), and that might result in problems if your end-users are unaware of them.
The laws/regulations dicussed in the article include:
Fascinating reading, with a lot of gray areas in some cases.
All too often, I hear about security awareness training programs that fail. Here are some of the reasons that I hear:
I’m not going to try to rank these in any kind of order. But, over my next few posts, I’m going to look at each of these in turn, try to identify the pitfalls, and give you some suggestions that may help you avoid them.
Call centers often handle highly sensitive information for customers including financial data such as credit card details, Social Security numbers, and bank account details; and, in some cases, health information. This means that they need to comply with an increasing number of regulations such as PCI DSS and HIPAA which require security awareness training for all staff including full-time, part-time, temporary, and seasonal reps.
But security awareness training for the reps in a call center provides some challenges. In particular:
In a blog posting entitled “H1N1 and telework,” Akamai’s Senior Director of Information Security and Chief Security Architect, Andy Ellis, writes that:
[H1N1] affects us in the workplace. If an employee has a small child and they don’t have a stay-at-home caregiver, expect that they’re going to miss more time than in prior years … Also, you may want to suggest that employees with sick children stay at home even if they aren’t the primary caregiver, just to minimize workplace infections.
Andy then goes on to talk about the components of a telework plan that could be used to minimize the disruption.
PDF documents are no longer the security panacea we thought they were. And security awareness training needs to catch up with this.
For years, IT and security professionals have been advising people to distribute documents in PDF format rather than as Word .doc files. In part, this prevents the average user from making changes to the document, but it was also perceived as being more secure since Word files were known to contain macro viruses.
Banning social network use DOESN’T prevent it being used for social engineering attacks.
An excellent article in Dark Reading describes how a security consulting company carried out an (authorized) social engineering attack on a client using information gleaned from Facebook. The client’s staff had posted information about what they did for the client (job titles, phone numbers, and email addresses) and personal data (appearance, height, weight, family background) – enough information for the consultant to create a bogus business card and then bluff his way into the client’s offices.
 |
 |
 |
 |
