Does Your Company Have A Security Awareness Training Program?

It would be great if companies included information security as a portion of their “new employee welcome orientation” sessions. Best led by a member of the IT/InfoSecurity team, this InfoSecurity Awareness Training would be a great way to educate and empower employees to be safe computer users and simultaneously protect the company’s data, network, and tech resources.

The training should focus on software security awareness, computer and network security awareness, and social media awareness (a discussion of the company’s policy for access to social media during business hours as well as any other company policies about content – if access is allowed). Emphasis should be given to complex password/login creation, use of USB drives, virus attacks, and disaster recovery plans.

Other topics to discuss include good security practices, such as, make regular back-ups, encrypt sensitive data, turn off computers before leaving the office, carefully dispose of storage devices, don’t install illegal copies of software or any other personal software on company computers or devices. With today’s on-the-go and work-from-home workforce, it is also worth discussing the importance of secure Wi-Fi – best not to just open a laptop anywhere. In addition, smartphones can be hacked. Create passwords for all portable devices including smartphones, laptops, eReaders, tablets, etc. And if a security breach happens, alert the appropriate IT/InfoSecurity team immediately.

The bottom line for IT professionals is to do your research. Before you start drafting a security awareness program, you need to know as much as possible about your technology environment. Learn how your company obtains, uses, stores, and shares information – and also understand the dynamics of your company’s specific industry – because security measures will not be the same for a bank vs. a hospital vs. a restaurant vs. a construction company.

If an IT manager doesn’t understand how a company is using its systems, it’s impossible to determine accurate security levels. In addition, find out who has access to what information and why – as well as who needs access to what information and why. Review and cross-reference the two lists to determine if the names included are correct based on job functions and responsibilities. A great idea would be to engage leaders from throughout the company who represent different specialty areas so that they too can support the security awareness program.

For security awareness to be effective, it cannot be a single event. In today’s era of data breaches and malware attacks that appear too often, companies must promote security awareness to all employees. An effective addendum to a security awareness training program should be weekly email newsletters sent to employees with “quick tip” reminders. If such a program is implemented, companies should require employees to sign off on the key elements of the program, just as they do when they receive new employee manuals.

Companies need to be proactive in their security protection – and all employees must do their part – but they need a security awareness program with regular updates to accomplish this.


About Allan Pratt

Technology and cybersecurity professional with focus on tech news, cybersecurity, networking, infrastructure, data protection, consumer electronics, and social media.
This entry was posted in Business Process, Data Security, Network Security, Social Media. Bookmark the permalink.

5 Responses to Does Your Company Have A Security Awareness Training Program?

  1. Allan, Great post & thanks for getting the word out about this. I found some companies have instituted a program but these need to be refreshed and updated to include policies reflecting the influx of social networking, personal devices, and smart phones in the work place. In addition, several programs that I have reviewed are considered a task on the checklist to be completed and not delivered in a way that the employee can remember at crucial moments. For example, most of us know to be suspicious of email links but when under time pressure, more than 1 financial person at a company has inadvertently clicked on a link giving bad guys access to information and bank accounts. Keep up the great work!

  2. Great Post.
    It’s unfortunate that awareness training ISN’T a regular part of companies ongoing training. At best I see companies providing it re-actively after an incident has occurred

  3. Katie Weaver says:

    Great post Allan and good overview of the many elements of a comprehensive security awareness training program. As you mentioned, security awareness training is not a one-size-fits-all. Organizations must customize their awareness training to fit their specific organization and the risks and challenges for their employees. Because threats, risks, and obligations are changing every day it is critical for an awareness program to be ongoing and include real-world examples and case studies to help employees (and third-parties) understand why organizational policies and procedures are in place. We often say, wouldn’t it be great if there was anti-virus software for people – they could just get updated each morning with new risks, threats, best practices, etc?

  4. Stone Carlie says:

    Thanks for addressing this. So many people don’t realize how important these extra measures can be to make sure their company’s data, network, and tech resource are secure. As an owner of a CPA firm in St. Louis, there are multiple frightening aspects of cybercrime. In my opinion confidential data is not completely secure unless the employees are trained in security awareness policies and procedures. We at Stone Carlie have a new Information Security Awareness Blog that provides a list of proactive tips of things to do to secure your workforce. We’re excited to share our information with those interested and we definitely plan to keep an eye on your blog. Thanks for sharing!

  5. Allan, you are so right! As they say, the human factor is the weakest link. Training is so very important. I am literally shocked by some of the lack of security of big and small law firms. It is so challenging to keep up with all the tricks of cyberspace. Thanks for the blog- I would love specific recommendations of products for managing passwords, electronic shredding, etc. For non-techies who are privacy conscious, we need guidance. Thanks so much.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s