What are the benefits of employee security awareness training?

In this Q&A, security management expert Mike Rothman discusses the short-term and long-term benefits of employee security awareness training.

What are the short-term and long-term benefits of employee security awareness training? How often do you recommend...

offering security awareness training, and what kind of follow-up training is advised?

Security awareness training is a key aspect of security. I always recommend that it be a part of any security program, but many times I'm swimming upstream. That's because a lot of security professionals get frustrated due to lack of results and unsatisfactory user compliance. In fact, I devoted an entire step of my Pragmatic CSO methodology to security awareness training; it's one of the 12 steps to becoming a pragmatic CSO.

Contrary to popular belief, security awareness training can pay off right away. Short-term benefits include employee awareness of acceptable behavior. Most organizations discuss acceptable use policies at employee orientation and never bring it up again, which is inadequate training. IT security awareness training teaches users not only what they can do to prevent malicious activity, but also how to detect attacks. So employees will gain a better idea of the prevalent attack vectors

In the long term, employees can and should be the "last line of defense." The reality is a determined hacker can get into your network -- period. Training your users makes the attacker's job harder, and if a network is difficult to penetrate, many hackers will move on.

Training should also apply to social engineering, or the art of separating private data from employees through confidence games, lying, or other non-technical approaches. There are no technical defenses for a social engineering attack, so in this case, user education is the only defense you have.

To be clear, user education is not a panacea. Adequate layers of protection should be deployed to eliminate separate points of failure -- including your users.

In terms of frequency and follow-ups, a strong education plan requires perseverance and consistency, even when employees make mistakes. I recommend that training starts on the first day of a new employee's orientation and it should continue monthly, with new lessons, quizzes, games, etc. Employees should be reminded of the acceptable use policies and tested to ensure they understand simple security defenses at least every six months.


 

This was last published in February 2009

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

I agree that it’s often an uphill battle to establish an effective security program. One thing that I’ve seen help is when the company includes security awareness tips in the daily emails sent out by corporate communications. These tips often link back to materials on the intranet. Additionally, when a specific threat has been identified, such as someone receiving a phishing email, the entire company is notified, both via broadcast email and posted flyers. I believe this helps the employees stay more aware of security than they would be without these frequent reminders.
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close