Interactive Approaches to Security Awareness Training Pay for Themselves

Network World — This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

New sophisticated attacks designed to take advantage of security-challenged end users are evolving so rapidly that technology solutions, security policies and procedures alone cannot protect critical company assets and data. Recent research from Deloitte revealed that 70% of the companies surveyed indicated that employee mistakes were a major threat, with lack of security awareness being cited as a major vulnerability.

While attacks on employee lapses in judgment are immune to even the best network defense systems, companies can limit the risk by fostering a people-centric security culture that evolves as the threat landscape changes. To be successful, training programs must be designed to consistently inform employees about the latest security threats, how they can prevent successful attacks, and why their role within security is vital to corporate health.

[ QUIZ: How well do you know the insider threat? ]

This cannot be obtained through a once-a-year event featuring boring and antiquated classroom or video training sessions. Modifying employee behavior that often favors convenience and efficiency at the expense of security is a significant challenge that involves much more than an annual fire-hose treatment for awareness.

Chris Christiansen, program vice president for IDC's Security Products and Services Group, notes that threats are evolving at a rapid pace as employee adoption of mobile computing and social networking has skyrocketed. He adds that, "The old once-a-year 'check box' approach to security training cannot keep pace. It is time for employees to understand the importance of security policies and learn how to put them into practice."

While gaining employee participation in security awareness programs may seem like an insurmountable obstacle, new breeds of interactive security assessment and awareness training software can significantly increase employee participation, deliver measurable improvement in security knowledge and behaviors and often lower overall costs.

Security officers that retire their old PowerPoint training presentation in favor of new security assessment and training software are seeing positive results -- including up to a 70% reduction in susceptibility to employee-targeted attacks, which translates to fewer breaches and lower remediation costs.

If you are ready to give people-centric security a chance, here are some key education tactics that help support a successful security awareness program:

* Prioritize and focus -- Successful security training is a process, not a one-time event. Security training solutions that include analytics help organizations assess human risk factors across multiple attack vectors, including email, mobile devices, social networking and passwords. This allows security officers to create a customized training program that addresses the most prevalent or risky employee behaviors first. The best results are achieved by setting realistic goals to modify two or three risky security behaviors at a time. As progress is made, more risks can be addressed with the addition of new training modules.

Continue Reading