INFORMATION SECURITY AWARENESS TRAINING. A New Approach.

Transcription

1 INFORMATION SECURITY AWARENESS TRAINING A New Approach.

2 2 Information Security Awareness Training - A New Approach Introduction From Jason Baker, Head of Instructional Design EMEA, SAI Global Compliance The majority of medium to large companies have had some form of information security awareness training in place for a number of years. Elearning is an established medium for training large numbers of people cost-effectively, however, unless done well this can have limited success. Dull, uninspiring elearning which fails to engage learners and challenge their attitude toward information security, is unlikely to actually make them change the way they do things and make them behave in a more secure way, day in, day out. There is also the danger that employees may be suffering from elearning fatigue as the same content is rolled out year after year. As working habits evolve and new information security risks emerge, learning content needs to be re-assessed to ensure that it still covers all bases and is fit for purpose in today s workplace. What was considered reasonable even a few years ago may no longer be effective, leaving you vulnerable to a security incident. It s time for a fresh approach which addresses new and emerging risks, takes account of increased learner sophistication and is the lynchpin in your efforts to promote a security conscious culture. In this paper we will consider the changes taking place and how to create effective training to maintain and increase information security awareness amongst employees. THE EvOLvING SECURITY LANDSCAPE Recent years have seen major advances in technology and how it s used, both at work and at home, for business and social life. With the advent of smartphones, tablets and increased media coverage of new technology, people of all ages are becoming more tech savvy. The rise in social media use and the increasing use of cloud based services are further examples of the proliferation of technology and whilst this brings great benefits, it also brings new risks on a scale far greater than ever seen before. Difficult economic conditions have seen an increase in hacking incidents, with hackers citing a number of reasons for their actions, such as revenge, fighting against capitalism or just plain showboating to demonstrate what they can do. Notable hacking events include the Sony Playstation Network which has circa 70 million users, security firm RSA who were reluctant or could not confirm how many customers had been affected by their breach and Citibank which had data stolen from a percentage of its US customer base. Security policies which rely solely on technology will fail humans will be using the technology, therefore they will always be the first line of defence. The right training is required to build awareness and secure the perimeter. An effective information security strategy must ensure that software protection works in tandem with training to deliver secure processes and working practices. In light of significant technological advances and the resulting evolution in employees behaviours when using new technology, organisations needs to review their current security awareness programmes to ensure they are still effective, reflecting new working practices, the changing technological landscape and the needs of the user in today s workplace. MAJOR NEW CONCERNS FOR INFORMATION SECURITY Many employees are now finding that work life and social life are intertwined, therefore in order to tackle the latest information security threats, emerging working and social trends need to be analysed. In this section we focus on 3 of the most serious and dynamic concerns for information security professionals.

3 Information Security Awareness Training - A New Approach 3 Social Media Facebook currently has over 500 million registered users which, if it was a country, would be the third most populous in the world, after China and India. Twitter and LinkedIn have over 100 million users. The numbers for all of these social networks are still growing. Taking into account the information being posted on these sites and the well-documented issues over privacy controls, social media undoubtedly positions itself as a major topic of discussion when it comes to information security. Social media has revolutionised the way people interact. Users can share almost anything in an instant. Prior to social media you probably only shared your personal thoughts and reflections with close friends, whereas now it s possible that a friend from school that you haven t spoken to or met for 20 years knows exactly what you re thinking or what you re up to. Most worryingly for security professionals is the amount of easy to access personal information users of social media networks have on their profiles an absolute gold mine for social engineers and fraudsters. Some businesses have looked at the possibility of a total social media ban at work. Unfortunately a network ban to access social media sites is likely to be ineffective because of the many ways to access social media, for example, employees can still post thoughts via a mobile device. Despite most organisations now putting in place policies to try to manage social media use, it would be a huge task for even the most organised company to monitor the posts and activities of all their employees. The determination of people will find a way around an outright ban, unless their activities are challenged through knowledge of the potentially serious consequences of getting it wrong. For better or worse, employees behaviours have changed and the personal information. natural human instinct is to share; especially now it has been made so easy with the various platforms to publish your thoughts. A seemingly innocent statement posted online, such as referring to being offered a new job at a different company, can cause problems for employees and businesses equally as criminals look to exploit minute details to their advantage or competitors seek to gather intelligence on the company. One innocuous statement can lead to an employee engaging in an online conversation with the wrong person and in turn divulge information that should otherwise be kept confidential. Additionally, there s the urge for people to seek new information and keep track of what their contacts are sharing, which has led to an increase in clickjacking attacks on social media sites like Facebook. At the moment, the majority of clickjacking attacks are being used to make hackers money from click-throughs and page visits; however, it can only be a matter of time until more serious viruses are distributed in this way, looking to exploit any weaknesses in an organisation s I.T. infrastructure. An organisation s Security, Compliance and Human Resources departments need to come together to make employees aware that when using social media or maintaining any other form of online presence there is no such thing as a private conversation or secure personal information. There is a need for robust and well communicated policies and procedures alongside behavioural awareness training to reflect the changing working practices and give business the necessary protection against security breaches. Mobile working = mobile threats Security, Compliance and Human Resources departments need to come together to make employees aware that when using social media or maintaining any other form of online presence there is no such thing as a private conversation or secure The continuous development of new technology such as smartphones and tablets has seen more people working and communicating on the move. Whilst this has provided businesses with almost 24/7 access to their employees, it has also increased the chances of data leakage. A few examples of how mobile working can threaten data security include:

4 4 Information Security Awareness Training - A New Approach Losing smartphones or having a laptop stolen. Connecting to unprotected wireless networks. Leaving portable drives or memory sticks unattended or forgotten in public areas. These simple actions can have very serious consequences. Cracks in the cloud Most organisations provide smartphones in order to maintain contact with employees. However, as they are now a common accessory, many employees are given permission to bring their own devices to work and to access the company network. Whilst there may be a potential cost advantage in allowing an employee to use their personal device as a work phone, it does pose security threats. In addition to the threats listed above, smartphones can be susceptible to security breaches when third party applications are downloaded onto the device. These applications could harbour malware which is not only programmed to collect data from the device, but also infiltrate the network and glean data from that source too. The issues raised above may be rare, but this can often lead to complacency on the employee s part. Therefore, it s important that they are continually reminded and made aware of the risks and responsibilities of mobile working. Businesses are embracing technological change to bring efficiencies to their bottom line. One method is to utilise cloud computing. Policies and procedures in place to support staff are of little use if people aren t trained to adhere to them and Cloud computing has allowed companies to redesign their I.T. made aware of their responsibilities. infrastructure. This has helped to make companies more agile because employees can connect to data and other I.T. services easily without having to be in a fixed location, thereby making it easier to work from home or on the move. The benefits of being able to access information easily from anywhere is great, but unless the correct precautions are are taken, there is a huge risk that a company s data is vulnerable to attack from outsiders. Employees using cloud services need to be taught how to make sure they do all they can to keep information secure when accessing information using cloud servers this includes guarding their access credentials and permissions so no-one else can use them to access the network. Businesses migrating data and other services to a cloud based platform should look at it as an opportunity to improve their all round information security training. Ensuring users have the right level of security awareness can help ensure that any cost savings from moving to cloud computing, are not off-set by incurring losses from a data breach through employee misuse or ignorance of the risks associated with cloud computing. Policies and procedures in place to support staff are of little use if people aren t trained to adhere to them and made aware of their responsibilities. Benchmarking: Where are we now and where do we need to be? Why benchmark? Having looked at the evolving risks and working practices, the question arises how can a company assess what level of security awareness their employees have? An internal benchmarking exercise can provide valuable insight by enabling businesses to: evaluate current understanding; highlight knowledge gaps; and compare awareness to previous results once training has been completed.

5 Information Security Awareness Training - A New Approach 5 Evaluating, understanding and identifying knowledge gaps in security awareness will form the requirements for a new security awareness programme, ensuring that the right subject matter is being covered. Upon completion of training, further benchmarking should be conducted and results analysed to measure the effectiveness of the new training and whether there are further knowledge gaps which could pose a security threat. Which is the best way to benchmark? Benchmarking can be conducted in various ways from a simple multiple choice quiz, to an in-depth assessment or a fun informal exercise. In order to make benchmarking valuable, analysis of the key areas of concern in your organisation must be identified along with objectives, which are then applied to the benchmarking test. Generate questions or develop scenarios which relate to the organisation and that your employees will be familiar with. This should help them understand the test better. Using the results First and foremost results from benchmarking tests should be used to assess knowledge gaps or attitudes that could lead to insecure working practices. Analysis of results may show there is a common pattern emerging about specific elements of security awareness or a wider training issue is present. This can be fed into further awareness training which fills existing knowledge gaps to eliminate weaknesses in an organisation s human security, leading to continual improvement. Furthermore, identifying knowledge gaps in security awareness from benchmarking tests can be used as support by security professionals, when presenting to the board, a case to release budget for information security awareness training. Measuring the cost of implementing awareness training against potential financial and reputational damage adds value to the case for investment in security training and makes it tangible to an executive board as they can visualise the benefit in monetary terms. Board level management needs to understand that data breaches will not only affect the bottom line due to fines or costs to mend breaches, but also the possible revenue loss from brand damage, which is immeasurable. New approaches Security training is not just about ticking the box. Changes in the workplace require changes to current attitudes and behaviours through innovative and appropriate information security awareness training. To truly minimise the risk of data breaches as a result of human error, training must meet the needs of today s employees in order to be effective and really deliver positive and sustained behavioural development. Changes in the workplace require changes to current attitudes and behaviours through innovative and appropriate information security awareness training. People are the perimeter Spending vast amounts of security budget on new software and systems will fail, unless the people using it are trained correctly so they are aware of key security risks. The right information security training could be likened to brakes on a car good brakes will help you stop before you crash. Therefore, an effective information security awareness strategy is one which takes into account the requirements of the business and learner. Delivering the right content to the right people at the right time It is important to recognise that learners in an organisation are adults and as such best practice training uses effective adult learning and instructional design methodology to genuinely influence knowledge, attitudes and behaviour. Base-line awareness of learners has changed; they are more sophisticated and technologically astute, so treat them with respect by speaking to them with a language and in a tone that is appropriate for their level of knowledge and understanding. Often, it is people prioritising business needs over security, or laziness and complacency which leads to data breaches.

6 6 Information Security Awareness Training - A New Approach Guard against this by implementing a structured approach to security awareness which delivers the right messages at the right times, emphasising the importance of employee responsibility. In this day and age, the expectations of workplace training and education are higher amongst employees. Before commencing training, most employees will ask themselves: Why does this matter?, What does this have to do with my job? and What does this mean I have to do? Training content should answer these questions in one or more ways, including: Directly answering these questions: For instance, your introduction may begin: You ve been asked to participate in this training because you are in a position where you could compromise confidential information or privacy. Indirectly answering these questions: For instance, you may discuss potential consequences of not handling properly, situations where information and privacy are put at risk, so the learner understands his or her personal risks. Behavioural approach To create positive change, information security awareness training needs to focus on employee attitude and behaviour. Focusing on what they do and how their actions affect outcomes will enlighten and bring understanding to the importance of their day-to-day activities. To create positive change, information security awareness training needs to focus on employee attitude and behaviour. Challenging attitudes isn t about imparting technical details or making employees download vast amounts of information. For example, to an employee, simply knowing what social engineering is will not stop them from sharing their password in order to get something done to meet a deadline. Showing the consequences of poor password protection for them individually as well as the business will challenge their existing attitude and lead them to change their behaviour. New training courses should be about imparting knowledge of risks, consequences, precautions and behaviours, challenging current attitudes, making employees think about their actions and take personal responsibility. Focusing on behavioural change will keep content relevant and up to date, even when policies change and new risks emerge. Attitudes Enhanced Security Knowledge To achieve this, organisations should think about their employees and the situations they face which compromise information security and build scenario-based training content which will help raise awareness of the how, what and why of information security. Behaviour How might my actions lead to security breaches? What are the consequences of a security breach and how do they affect the organisation and me? Why do I need to be more vigilant? Emphasis on application, using good stories and scenarios are most favourable. Scenarios are an extremely effective method of feeding knowledge in a contextual way. They provide learners with a rehearsal for the real world but in a safe environment where they can make and learn from their mistakes without experiencing the consequences for real. Instilling a long-term behavioural approach to information security awareness training makes the training tangible to employees and easier to embed in their day-to-day activities. This approach will bring about better knowledge and understanding, along with changes in attitude and behaviour, leading to enhanced security awareness. Time constraints Increasing pressure on productivity is increasing a demand for shorter seat time. The drawback with many current training

7 Information Security Awareness Training - A New Approach 7 programs is that they take too long as a result of either taking employees away for group training or long elearning modules at a desk. It is widely recognised that long training sessions can result in participants becoming bored, losing concentration, disengaging and absorbing less information, and thereby cause the training to be less effective. Shorter training is therefore beneficial as it firstly reduces the amount of time employees spend away from their desks, meaning negative impact on productivity is reduced and secondly it delivers content in a timescale that will not lead to a loss in concentration amongst learners. Focus on behaviour and stranding to achieve shorter timescales. Benefits of bite-sized elearning: Reduced seat-time allowing employees to get back to work quicker. Increased employee engagement in training content. Flexibility to fit into employee s work schedules. Culturally relevant As companies become more international, it is essential that awareness training is culturally relevant. Using cultural markers that are relevant to your audience can help avoid serious barriers to communication that could result in less effective training. Creating content which is adapted to the different cultures within a global organisation supports employee engagement and understanding for whichever location they may be working at, thus ensuring the training delivered can be put into practice. For a cultural shift to be achieved in an organisation, besides tailoring key messages and concepts to fit different ethnicities, customs and preferences, efforts should be made to adapt training so it is relevant to an employees job-role and industry. Acknowledging the characteristics of specific job-roles, in the production of a training programme, will improve that employee s ability to identify and appreciate the risks associated with information security breaches and how they can help prevent them. Endorsing education through engagement The role of senior management is imperative to the success of any training programme. Allowing time for training and endorsing new training techniques will demonstrate the importance of the content being delivered. Leaders within an organisation should engage with employees and provide feedback to deliver key messages. A useful approach to initiate discussion and feedback is to use transfer-to-workplace activities. Many courses simply finish with a test at the end to measure how well the learner has absorbed the key messages presented. However, transfer-to-workplace mechanisms such as Springboard Activities encourage learners to apply what they have learned to their day-to-day role. A Springboard Activity is typically a printable worksheet introduced in and downloaded from a course, which asks learners to consider a task or project on which they are currently working and note their answers to a series of questions probing how the decisions they may make have been influenced by what they have learned. These mechanisms are most effective when the appropriate line manager has an opportunity to review and discuss the completed Springboard Activity with the employee to ensure the key messages have been satisfactorily understood and offer further support if required. best way forward In conclusion, a new bite-sized, behavioural approach to information security awareness training will bring advantages to an organisation s integrated security programme. A structured, on-going approach, delivering the right content at the right time in the right tone, with emphasis on challenging attitudes and behaviours, and helping transfer what has been learned to day-to-day activities, will ensure that employees are aware of the risks and their responsibilities and are taking the necessary precautions.

8 8 Information Security Awareness Training - A New Approach Companies will undoubtedly have software and systems in place to guard against security breaches, but without trained employees the people who use the software and systems mistakes and breaches are always likely to happen. On the other hand, clued-up employees, who are aware of the consequences of their actions, are less likely to make mistakes leading to expensive data breaches. So instead of focusing on technology, think about training your first line of defence the people using the technology - and make them aware of their responsibilities by challenging their attitude and behaviour to information security. Information security awareness planning checklist 1. Benchmark Carry out an internal benchmarking exercise to find out where the current level of employee understanding and awareness. 2. Gap analysis Identify knowledge gaps from the results of the benchmarking exercise. Feed this into the development of the curriculum for employee information security awareness training to ensure the right content is delivered and all risk areas covered. 3. Define the learning outcomes Produce an awareness curriculum covering the areas which need most attention. Remember to include content covering traditional issues and evolving security risks to create a comprehensive awareness training programme. 4. Align outcomes with business objectives Check that the content covered in the training programme fits in with the wider business objectives. Doing so makes it tangible to senior management, who will be more likely to buy into information security awareness training if they can see how it helps to achieve goals set by the business. 5. Deliver engaging training Behavioural, scenario based, bite-sized modules will keep employees engaged and promote better understanding of their responsibilities when it comes to keeping information secure. 6. Measure Assess the understanding of employees after they ve completed the training through a Knowledge Check assessment that focuses on the identification of and response to practical risks. Additionally, debrief teams on the risks and precautions they identified in their own roles when completing their transfer-to-workplace Springboard Activities to further measure the practical impact of the training. key characteristics of effective information security awareness training 1. Make the content engaging and interactive. Learners will take in more information if they can get involved with training. Include activities during or after training to promote the right behavioural changes. 2. Implement a flexible programme which allows you to deliver the right content to the right people at the right time. Look to use shorter, bite-sized elearning modules to reduce impact on productivity and sustain learner concentration. Transfer-to-workplace activities will aid learner engagement. 3. Ensure the content is relevant to the organisation, employee s job-role and industry. Using scenario-based concepts in training will aid employee awareness of the risks associated with their job-role and how it could affect them and the business. 4. Acknowledge cultural differences. Global organisations should develop learning content which is culturally appropriate and uses the right language so all employees can identify their responsibilities and the consequences their everyday activities have on the company. 5. Create a sustainable culture of security awareness by making information security awareness training an on-going commitment. Continuously improving employee knowledge and promoting positive changes to behaviour and attitudes relating to data protection and privacy will lead to enhanced security awareness.

9 USA Houston, TX T: F: Plainsboro NJ T: +1 (877) 470-SAIG [7244] F: Waltham, MA T: F: Alpharetta, GA T: F: Europe Warwickshire, UK T: +44 (0) F: +44 (0) Australia Sydney T: F: Southbank T: F: Osborne Park T: F: About SAI Global SAI Global Compliance is the world s leader in providing organisations with a wide range of governance, risk and compliance (GRC) products, services and technology that help build organisational integrity and effectively manage compliance risk. Our global staff includes professionals and subject matter specialists in advisory services; programme design, management and implementation; instructional design; and software development. Our focus is to help establish and enhance compliance effectiveness. With well over a thousand organisations as clients and tens of millions of satisfied users around the world, we work with clients to integrate a flexible suite of solutions and services specifically tailored for a business and industry. Our products include the world s largest library of compliance and ethics learning, Code of Conduct advisory services and training, and the Compliance 360 GRC Software Suite to manage compliance, policy, case and audit management. Our Cintellate EH&S Software addresses key issues in operational environmental health and safety management. For more information, please call us at the full service location nearest you or visit SAI Global Ltd. The SAI Global name and logo and Cintellate name are trademarks of SAI Global Ltd. Compliance 360 is a registered trademark of Compliance 360, Inc., an SAI Global company. All Rights Reserved. ISAWP1204a