Security Awareness Training is No Joke!

Without a doubt, almost every type of IT audit contains a section on security awareness training. And in many companies, it is a weakness that can be exploited easier than trying to hack a firewall or compromise a server. In many cases, it can be as easy as sending an email or making a phone call.

A company can have dozens of physical and logical security controls in place. But a control is only as good as how it is set up and used. The same holds true for security training for users within the company. In truth, many of the controls used by IT will fail without user support. 

Take malware protection for example. Most companies protect against malware in multiple ways. There are Anti-Virus servers, email spam filters, and web content filtering. However, all of these can be circumvented by the employee that clicks on a link in an email or a website, inviting the malware into your environment.

Security awareness training is a critical part of defense in depth to prevent loss of data, productivity, and reputation. And it doesn’t have to be overly complicated or dry. The whole point is to make sure the message is understood and becomes a regular part of the routine.

Here are a few things to consider about security awareness training:

•         Make it fun – IT guys love telling stories about things going wrong. Share are few with the employees. Real-life examples about ransomware or phishing attempts stick with users more than reading a definition from a slide.
•         Make it matter – One of the most effective things I ever did was run a password crack tool in the environment and get the majority of the passwords for users. As part of awareness training, I showed some of them as part of awareness training (making sure no user could be identified first). They remembered that session, believe me!
•         Consider the Audience – If you’re staff is tech oriented, great! But they need to be able to understand what you’re trying to get across. They don’t need to know hash and salt are more than bad breakfast options, but they do need to know not to randomly click on things.

Finally, security threats are changing constantly. If you’re not looking at your security awareness program to make sure it is up to date, then it probably needs a refresh. Remember too that when users see the same training year after year, it loses the intended effect.

To find out how Compass can help prepare your employees to become your first line of defense against threats to your information, download our Security Awareness Training Brochure below!