What are the short-term and long-term benefits of employee security awareness training? How often do you recommend offering security awareness training, and what kind of follow-up training is advised?
Security awareness training is a key aspect of security. I always recommend that it be a part of any security program, but many times I'm swimming upstream. That's because a lot of security professionals get frustrated due to lack of results and unsatisfactory user compliance. In fact, I devoted an entire step of my Pragmatic CSO methodology to security awareness training; it's one of the 12 steps to becoming a pragmatic CSO.
Contrary to popular belief, security awareness training can pay off right away. Short-term benefits include employee awareness of acceptable behavior. Most organizations discuss acceptable use policies at employee orientation and never bring it up again, which is inadequate training. IT security awareness training teaches users not only what they can do to prevent malicious activity, but also how to detect attacks. So employees will gain a better idea of the prevalent attack vectors
In the long term, employees can and should be the "last line of defense." The reality is a determined hacker can get into your network -- period. Training your users makes the attacker's job harder, and if a network is difficult to penetrate, many hackers will move on.
Training should also apply to social engineering, or the art of separating private data from employees through confidence games, lying, or other non-technical approaches. There are no technical defenses for a social engineering attack, so in this case, user education is the only defense you have.
To be clear, user education is not a panacea. Adequate layers of protection should be deployed to eliminate separate points of failure -- including your users.
In terms of frequency and follow-ups, a strong education plan requires perseverance and consistency, even when employees make mistakes. I recommend that training starts on the first day of a new employee's orientation and it should continue monthly, with new lessons, quizzes, games, etc. Employees should be reminded of the acceptable use policies and tested to ensure they understand simple security defenses at least every six months.
This was first published in February 2009