By Center for Internet Security
As organizations work to make internal company processes and personnel more secure it’s worth asking, “Are we doing enough?” Rehashing an annual awareness training or a yearly email phishing campaign may not be enough to thwart ever-evolving attacks and nefarious activity.
To combat “training fatigue,” which can lead to users not practicing what is preached as best controls, it makes sense to implement more interactive methods of cybersecurity policy awareness and training. These come in many forms:
- Phishing campaigns: Conducted by an internal “red team,” internal phishing campaigns can train employees to spot and report suspicious emails they may receive.
- Desktop/tabletop exercises: These cybersecurity exercises help employees learn how they would handle an incident such as a DDoS attack or website defacement.
- USB drops: Are your employees trained to handle a mysteriously-found USB device? Find out with these exercises.
Be sure that these training methods aren’t simply tested and then forgotten; cybersecurity awareness comprises continual processes of integrating behavioral change into the business process. While technical controls can significantly improve security posture – implementing SPF, DKIM, or DMARC to reduce the risk of a successful phishing campaign, for example – it is important that the technical controls are not the only assessment performed against your organization. In addition to conducting training and awareness programs, managers should invest in understanding the analytics resulting from these programs.
Improving privacy and awareness
With GDPR now into effect, it’s essential that organizations implement security in the form of role-based access controls (RBAC). Privacy, a key component of GDPR, has become a highlighted requirement for organizations, especially those who manage and safeguard personally identifiable information (PII). Each industry (healthcare, finance, academia, etc.) maintains data that requires a form of protection. As this data becomes more integrated across business units and functions, knowing what types of data you’re managing will allow specific training programs to be built.
Often, awareness training requires multiple approaches. For example, you might conduct a phishing exercise against a particular department or utilize a multi-email phishing approach for the whole organization. This can allow the organization to more authentically gauge clicks, versus the exercise-defeating murmurs of “Hey, don’t click that!” which can spread through an office quickly. You’ll also want to take into account different learning styles. For some, a PowerPoint may be enough; others might require a more hands-on approach to security training. A strong training program will comprise multiple approaches to cover a variety of training techniques and learning styles.
This article was originally published on https://www.cisecurity.org/ and has been posted here with their permission.