What are the benefits of employee security awareness training?

What are the benefits of employee security awareness training?

What are the short-term and long-term benefits of employee security awareness training? How often do you recommend offering security awareness training, and what kind of follow-up training is advised?

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Security awareness training is a key aspect of security. I always recommend that it be a part of any security program, but many times I'm swimming upstream. That's because a lot of security professionals get frustrated due to lack of results and unsatisfactory user compliance. In fact, I devoted an entire step of my Pragmatic CSO methodology to security awareness training; it's one of the 12 steps to becoming a pragmatic CSO.

Contrary to popular belief, security awareness training can pay off right away. Short-term benefits include employee awareness of acceptable behavior. Most organizations discuss acceptable use policies at employee orientation and never bring it up again, which is inadequate training. Awareness training teaches users not only what they can do to prevent malicious activity, but also how to detect attacks. So employees will gain a better idea of the prevalent attack vectors

In the long term, employees can and should be the "last line of defense." The reality is a determined hacker can get into your network -- period. Training your users makes the attacker's job harder, and if a network is difficult to penetrate, many hackers will move on.

Training should also apply to social engineering, or the art of separating private data from employees through confidence games, lying, or other non-technical approaches. There are no technical defenses for a social engineering attack, so in this case, user education is the only defense you have.

To be clear, user education is not a panacea. Adequate layers of protection should be deployed to eliminate separate points of failure -- including your users.

In terms of frequency and follow-ups, a strong education plan requires perseverance and consistency, even when employees make mistakes. I recommend that training starts on the first day of a new employee's orientation and it should continue monthly, with new lessons, quizzes, games, etc. Employees should be reminded of the acceptable use policies and tested to ensure they understand simple security defenses at least every six months.

For more information:

  • Information security threats expert Ed Skoudis explains how creating a security awareness program can help thwart the insider threat.
  • In this tip, security expert Joel Dubin offers a primer on in-house vs. outsourced security awareness training.

    • This was first published in June 2007

    Back to top