Security Awareness Training; do you cringe a little when you hear the term? You may not want to rely on a bare minimum program, but sometimes it may be the only option as you deal with time constraints, employee availability, and lack of interest. Training can be a frustrating situation for both the trainer and the trainee. Employees can be the most powerful security layer in your information security program, and by the same measure, the greatest weakness. Their ability to "sense" when something's not right is what can make them your most effective security control.
One way you can utilize this super-security power, which only humans possess, is to pump-up your security awareness program. Consider this great training tip. One of my coworkers performs social engineering tests as part of our penetration testing for customers. It's interesting to listen to his side of the phone call as he kindly explains the reason he's calling and asks for a couple simple clicks "here and there," "thank you for your time," and then it's over. It is so easy and pleasant. This is a tactic that attackers use, and I think we all could take a tip from it. That's what you want for your security awareness training – to both seem and be simple, interesting, and valuable for your users. Here are a couple methods to help move in that direction.
Visual reminders are an easy way to provide continuous security awareness. Put an interesting poster or article up in the break-room, or anywhere that employees will frequent. Send out monthly "tips and tricks" emails. A monthly email is a great way to keep things simple, yet continuous. Design some swag. A few years back our company was in the market for some new swag: pens, chip clips, etcetera. We ended up purchasing cases of sticky notes with the phrase "Do not write your password here." It may seem like a no-brainer, but it's a strong deterrent to keep employees from writing their passwords on a sticky note.
Good educators know one of the best methods for a student to truly learn a concept is for them to take ownership of the information and feel they need to teach it themselves. Students not only need to feel they've mastered a concept; it must also provide value for their life. To instill ownership of security awareness in your employees, you must make the information valuable to them on as many levels as possible. They need to see security awareness not only protects the company, it also protects them personally. One great topic for work and home security is passwords. The sheer volume of our passwords alone is a reason for concern. Teach employees the value of password management applications, like Secret Server, LastPass, or Password Safe. Another way to instill ownership is to focus your content departmentally. If you can get buy-in from department heads, getting the attention of their employees is much easier.
As you continually educate your users, keep it simple and focus on one topic at a time. Whatever you do, remember everyone likes a good story. A great communication tool is to share recent security "horror stories." Those do a great job of hitting home for users.
In order for your users to take ownership in protecting information and defending it from unauthorized access, use, disclosure, perusal, or destruction, you have to help them see the relevance and value, and do so in a way that they can enjoy and understand.