Information security awareness and training is one of the most effective ways to protect company data since so many security risks are caused by user error, misconfiguration and mismanagement. The primary goal of such programs is to minimize these issues by educating users on their responsibilities for ensuring the confidentiality, integrity and availability of information as it applies to their roles within the company. However, according to a Forrester report titled “Reconfigure Your Human Firewall,” only around one-third of employees receive security training, and less than half are aware of their organization’s security policies.

Developing a Strong Security Awareness and Training Program

An effective security awareness and training program begins with establishing clear and enforceable policies. Since policies are essentially the laws of the company and their role is to influence behavior, they should be:

  • Clear, concise, role-based and enforceable;
  • Developed at a high level, with input and consensus from senior management; and
  • Reflective of business requirements.

Procedures, standards and plans are linked to policies because they describe the steps required to achieve compliance with the policy. For security concerns such as acceptable use and remote access, companies should have one- or two-page policies that are easy to read and understand. Users should then be educated on these documents so that they understand how their responsibilities play a vital part in the overall security strategy.

Keep in mind that users tend to pay less attention to issues that don’t directly affect them. You should take time to educate users on the negative consequences their poor security practices and behaviors can have on the company and themselves. Ensure that security awareness and training is completed by all workforce members, including employees, contractors, consultants and part-time personnel. Initial and annual awareness training should be mandatory and followed up with ongoing education about new and emerging security issues.

Training programs should focus on issues such as:

  • Acceptable use of information assets;
  • Password protection;
  • How to handle sensitive information in both paper and electronic form;
  • Validating requests for information about the company, business partners or other stakeholders;
  • Legal and regulatory responsibilities and consequences;
  • Safe computing practices;
  • How to recognize a threat or security incident; and
  • Who to call in the event of a suspected or actual security incident.

The Power of Positive Reinforcement

Consider creating incentives for your team to act on security threats. One of the best methods for reinforcing security awareness is to reward users for positive behaviors. For example, one company implemented and enforced a policy that required users to log out of their computers by hitting CTRL-ALT-DELETE before they left their seats. Rather than pursuing and punishing the users that neglected to do this, management rewarded those who did, and word traveled fast. Eventually, this positive reinforcement influenced others to do the same.

Another company instituted a program in which they randomly called the help desk and tried to improperly reset a password. If the help desk representative followed procedure, management rewarded him or her on the spot. Ideally, rewards should be material and not merely pats on the back, since gold stars stopped working in grade school; cash, gift cards and discounts never lose their popularity. By rewarding positive behavior, you can influence and motivate more effectively.

Building a Culture of Security

When it comes to assessing user awareness of security violations, ask these three questions:

  • Would the user know if an action was right or wrong?
  • Would the user choose to report a violation?
  • Would the user know how to report a violation?

If users answer yes to all three questions, then you are on your way toward building a strong security culture. On the other hand, if you received a lot of no answers, it’s time to enhance your security awareness and training.

Companies should protect their users against threats such as viruses, phishing attacks and data breaches by implementing appropriate security controls in addition to intrusion detection systems, access management and a variety of other technology solutions.

Still, some of the biggest organizational challenges don’t originate from technology. They stem from the tone, attitude and practices of top management. If business leaders don’t consistently lead by example to promote a security culture or ensure clear, enforceable policies, effective awareness and training are difficult to establish. Executives who never wear a security badge or who share their passwords with assistants can’t expect others to do any better. Those who properly implement security awareness and training programs, however, can nudge their organizational culture in the right direction and reduce the risk of cyberattacks.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read