You might have been avoiding it until now – thinking that social networking (Facebook, MySpace, LinkedIn …) is just a passing trend, or it’s only used by teenagers, or people only use it to exchange photos and jokes. But, if you haven’t already realized it, social networks are here to stay, being used by people of all ages and social groups, and are having significant impacts (both positive and negative) on business. So, if you’re not already dealing with social networking as part of your security awareness training, you need to start now.
Continue reading →
You can have the best content in the world – well-written and illustrated, perfectly aimed at your target audience … – and your program will still fail if the delivery is poor. Whether it’s a boring presentation in the classroom, or web-based training that simply doesn’t work on the students’ PCs, focusing on content at the expense of presentation can doom a security awareness training program from the start.
Here are three of the ways that I’ve seen poor delivery kill awareness training programs.
Continue reading →
If you’re going to use PowerPoint to present security awareness training to a class of students, or perhaps to make a business case to your senior management, here are some suggestions from Seth Godin about how to make the best use of the tool. Written a few years ago, but still highly relevant.
When creating security awareness training materials, it’s tempting to explain to students exactly how they should scan a file for viruses, the steps to take to check an SSL certificate, how to examine the headers of an email …
Don’t.
You have very limited time and a lot of topics to cover. And most of your students will forget any detailed information that you cover. So focus on the bigger picture. Make them aware of the threats, and what they need to do in broad-brush terms. Then provide students with easy access to the “how to” information so that they can find it when they need it.
Continue reading →
In my experience, one of the most common ways that security awareness training programs fail is that the content of the awareness/training materials is wrong for the target audience.
The mention of the audience is important here – what’s appropriate for an IT group is seldom useful for a group of average PC users, and what’s useful for the PC users probably won’t be as valuable for workers in a warehouse or distribution center.
But, bearing that in mind, here are four of the ways that I’ve seen programs fail because of the wrong content.
Continue reading →
In some guidance documents (e.g., NIST SP800-16), you’ll find a distinction drawn between “awareness” and “training” even though most of us use the words together when talking about education of end-users. There’s actually a good theoretical basis for differentiating between them but, in practice, the value of treating them separately is less clear.
Continue reading →
If you’re developing an “Acceptable Use of IT Resources” training course (or even developing the policy itself), this blog post from TechRepublic is a very useful reference. It discusses 10 of the laws that apply to computer users (in the USA), and that might result in problems if your end-users are unaware of them.
The laws/regulations dicussed in the article include:
- Digital Millennium Copyright (DMCA) Act
- No Electronic Theft (NET) Act
- Anti-Counterfeiting Trade Agreement (ACTA)
- Court rulings regarding border searches
- State and federal laws regarding access to networks
- “Tools of a crime” laws
- Cyberstalking and Cyberbullying laws
- Internet gambling laws
- Child pornography laws
- Pro IP Act
Fascinating reading, with a lot of gray areas in some cases.
All too often, I hear about security awareness training programs that fail. Here are some of the reasons that I hear:
- The information that they contain is inappropriate for the audience (usually far too complex).
- The presentation of the information is dull or dry.
- The program is too expensive to run on an ongoing basis.
- Students don’t have enough time to take the training.
- The program doesn’t fit with other training initiatives in the organization.
I’m not going to try to rank these in any kind of order. But, over my next few posts, I’m going to look at each of these in turn, try to identify the pitfalls, and give you some suggestions that may help you avoid them.
Call centers often handle highly sensitive information for customers including financial data such as credit card details, Social Security numbers, and bank account details; and, in some cases, health information. This means that they need to comply with an increasing number of regulations such as PCI DSS and HIPAA which require security awareness training for all staff including full-time, part-time, temporary, and seasonal reps.
But security awareness training for the reps in a call center provides some challenges. In particular:
Continue reading →
In a blog posting entitled “H1N1 and telework,” Akamai’s Senior Director of Information Security and Chief Security Architect, Andy Ellis, writes that:
[H1N1] affects us in the workplace. If an employee has a small child and they don’t have a stay-at-home caregiver, expect that they’re going to miss more time than in prior years … Also, you may want to suggest that employees with sick children stay at home even if they aren’t the primary caregiver, just to minimize workplace infections.
Andy then goes on to talk about the components of a telework plan that could be used to minimize the disruption.
Continue reading →
