I think security awareness programs can be made effective if the following options are included and the security team has the bandwidth (time and money) to execute them -
Visual Awareness
The simplest and yet very effective awareness option to cover a single security topic each month via newsletters, posters and small articles not more than 3-4 lines. An example would be a "Do you know" paragraph in departmental newsletters or reports.
Interactive Awareness Sessions
To make the awareness sessions interactive and engage the employees, the Security Team can utilyse the following two approaches –
Team Meeting Presentation: Attend team meetings (1-2 per year for each team) for roughly 8-10 minutes to present a security topic and have interactive session to raise awareness. This can be tailored to topics that teams are interested in.
Phishing Campaigns: Run a phishing campaigns across different teams to see effectiveness of the training imparted.
Phishing Campaigns: Run a phishing campaigns across different teams to see effectiveness of the training imparted.
Computer Based Targeted Training
SANS has excellent CBTs for targeted training for different user groups. The following are from the SANS website and target different user groups -
Engineers – SANS “STH.Engineer” focuses on security behaviours for individuals who interact with, operate, or support Industrial Control Systems. This computer-based training solution provides an introduction to ICS, details types of ICS attacks, covers basic system and network defence approaches, and reviews ICS governance and policy best practices.
Developers – SANS “STH.Developer” educates everyone involved in the software development process including developers, architects, managers, testers, business owners, and partners. This reduces the chance that our organization will become a victim of today's data security threats and ensure our team can properly build defensible applications from the start.
All IT staff – SANS “End.User” training covers different aspects of security using the SANS 20 critical controls. Awareness of these controls will help the all the teams and especially the Infrastructure teams to make security conscious decisions.
Developers – SANS “STH.Developer” educates everyone involved in the software development process including developers, architects, managers, testers, business owners, and partners. This reduces the chance that our organization will become a victim of today's data security threats and ensure our team can properly build defensible applications from the start.
All IT staff – SANS “End.User” training covers different aspects of security using the SANS 20 critical controls. Awareness of these controls will help the all the teams and especially the Infrastructure teams to make security conscious decisions.
But the most effective approach is to engage the teams for the day to day processes and also while resolving pentest or audit items. Instead of just asking to fix the issues highlighted, working with the teams, explaining them the impact of the issue and also showing them how to check if the issue is fixed will raise a more awareness and also build ties between the security team and the other IT teams.
No comments:
Post a Comment