It’s an axiom in InfoSec that “your first line of defense in the protection of your network and data is your employees.” Basic training in information security awareness for current and new employees, along with regular refreshers, is key to deterring attacks like spear-phishing and mitigating their staggering cost and reputational impacts. Training is also vital to ensuring that employees make fewer errors with regard to handling sensitive data.
InfoSec awareness training also goes hand-in-hand with adherence to InfoSec related policies and procedures and is mandated by HIPAA, PCI and other regulations. Users need to know that they have an important role to play in securing their employer’s data. Yet according to PwC’s latest cybersecurity survey, only 50% of companies conduct periodic security awareness and training programs, and just 50% offer security training for new employees.
One client I worked with recently has a solid security awareness program in place. At first glance it seemed to set the bar pretty high: the content is up-to-date and refreshers take place quarterly, not just at headquarters but at Regus offices. But what really makes it great is that it’s working—when asked, employees can tell you what they learned. This company can expect to benefit from a reduction in the risks associated with a lack of security awareness training.
However, there is more to security awareness training than documenting its existence for your ISO 27001 audit. Taking this client’s program as a baseline, I found it interesting to compare it with other clients’ programs (or lack thereof).
Here are the five basic classes of security awareness training I’ve encountered, and how they relate to the ISO 27001 guidance:
- An ISO 27001 compliant program that includes training for current and new employees, along with periodic updates.
- A security awareness program is in place. All new employees receive training upon being hired, and sign to verify their participation. However, contrary to ISO 27002 control 7.2.2, there is no follow-up training.
- No formal InfoSec awareness program exists, but “awareness tips” are circulated periodically. Informal training like websites, emailing reminders and tips, or even putting up posters can be effective. But while this approach provides ongoing education, to satisfy an auditor a program that demonstrably aligns with information security policy is required.
- There’s a security awareness program in place, including training, but it doesn’t include information security. Thus the training is almost certainly not based on the information security policy, if one exists.
- No security awareness training.
Which of these does your current program resemble? Is the training you’re conducting (or not) today delivering the benefits you’re hoping for? Or could you better reduce information security risk by spending that money in some other way?
To talk over how to align your employees’ information security awareness with your needs around compliance, audit and risk mitigation, contact Pivot Point Security.
For more information:
- Information Security Begins at Home
- ￼4 Levels of Security Awareness Training for Developers