Several months ago, I stumbled across a comic that was a perfect representation of the battle institutions and IT departments face every day. It was a boxing ring, with a ring announcer introducing the participants in the corners of the ring. One corner contained firewalls, encryption, antivirus software, and other layers of data security while the opposing corner contained "Dave," a hapless user wearing a shirt emblazoned with the words "Human Error." This comic is both funny, because many of us know a "Dave," and disheartening, because no matter how much money and time are spent on network layout, configuration, and security, the harsh reality is it only takes one user on the other side of the mouse, clicking on the wrong item, to wreak havoc on your network. While incidents are still going to occur, they can be reduced with routine and thorough employee security awareness training.
What defines routine and thorough training will vary within your organization and users. For instance, some of your users might be fine with annual security awareness training while others will need training more often (and you can probably name these users off as you read this article). Regardless of the schedule of training, the topics covered should be fairly consistent, although the methods to cover those topics could vary. Let's walk through some of those topics and methods below.
One of the most common training methods is social engineering performed via phone calls or phishing emails. While the email option can target a far greater number of users, phone calls are a more personal approach and can be surprisingly effective. Emails can typically be included along with an external penetration test or sent separately using a number of online providers at your convenience. The variety of topics for this option is far greater than phone calls and can range from important patch updates to customer survey links. A word of caution, however, with using a company or government logos in these phishing emails, as improper usage could lead to problems with the trademark owner. Phone calls are trickier, but like emails, they are usually scheduled as part of an external penetration test and can include online surveys, website functionality testing, etc. Regardless of the method and option chosen, social engineering tests are very beneficial in not only reiterating to users that random links or phone call requests should not be blindly followed but also to aid in determining which users need additional training throughout the year.
Another social engineering option, which again can typically be scheduled alongside the penetration test or external audit, is in-person testing. Someone can visit different locations and try to access sensitive areas or equipment without gaining the proper approval. The level of detail in how these tests are performed varies. Methods typically include using contact information of actual employees but can range from including real names and reasons for being onsite to pretending to be another company providing services such as network or AC repair. While both methods can be very effective at identifying weaknesses in employee security awareness, a word of caution must again be stated about impersonating actual companies or using clothing or equipment with trademarked logos. It doesn't matter how much the scenario matches something cool seen on TV if you end up receiving a notice from the company that was spoofed.
The final method we'll discuss is arguably the easiest to perform. This method is simply providing relevant material to the employees on a variety of security topics using whatever means are simple and cost-effective. This includes organization-wide emails on what to look for in phishing emails (preferably sent before the actual social engineering test), online training through a number of providers with tracking for pass/fail, and in-person presentations using PowerPoint. Which topics are chosen is up to each organization, but in addition to the previously mentioned phishing emails and physical security awareness for visitors asking for access, you can include information related to spotting fraudulent wire requests, safely surfing online (while re-stating the information found in the Employee Handbook and Acceptable User Policy related to personal use of Internet and acceptable content), using strong passwords that aren't written down or reused between sites, and avoiding online scams or fake sites.
As nice as it would be, security awareness training is not a one-and-done situation. It takes reminders, often times presented in different ways through different scenarios, to prevent users from letting others gain access to what you've worked so hard to protect. The good news is people usually learn from their mistakes and take the necessary steps to prevent the same mistakes from happening again. Except for maybe Dave.[JS1]