8 Tips for Developing a Security Awareness Program

When you hear the words “information security,” firewalls, antivirus programs, and multifactor authentication may come to mind. But what you might not think about is the one major vulnerability that every security system has: people.

Obviously, people make mistakes. They can be manipulated or duped. Some of us don’t always have the best intentions (think: disgruntled ex-employees). Unfortunately, you can’t program people. So, what’s the best way to “patch” this human vulnerability?

Here, we’ll discuss eight tips for developing a security awareness program, so you can help keep your firm’s information safe from “human exploits.”

Strong security starts with policies—the rules that govern what’s safe and what isn’t. They should address all the security concerns and practices of your business, including how to encrypt emails, laptops, and mobile devices; authenticate a client; and shred documents. You’ll want to post policies where your staff has easy access. Plus, be sure to give your policies a quarterly or annual review to ensure that they remain relevant.

The devil is in the details, and information security is no different. Simple best practices can make a big difference in keeping your business and information safe. Consider including the following in your program:

• Require employees to change their passwords every 90 days.
• Set up a virtual private network for employees to access when working from home.
• Ensure that all business laptops, desktops, and servers have up-to-date antimalware and spyware.
• Enforce a detailed smartphone policy that requires full-device encryption and passcodes and does not allow employees to store any business-related information on their phones.
• Apply software updates in a timely manner.
• Employ a system that automatically encrypts all outgoing emails, and limit personal messages to employees’ private email accounts only.
• Keep a backup of all information on company devices.
• Have a process in place for employee termination that includes changing all passwords the employee may know and collecting all company property, keys, and passes in his or her possession.

Keep in mind that the training you provide should enforce the policies and best practices you’ve adopted. This will give your staff a reason for why certain practices are followed and give your security awareness program direction.

To be effective, a training plan should address both onboarding training and continual reinforcement. That way, new hires will understand your firm’s security practices from the get-go, and seasoned employees will have the benefit of regular reinforcement of secure habits. Here are a few steps you might take to get started:

• Write down your goals and how you plan to achieve them.
• Create a calendar of when different phases of your training will take place.
• Share this information with your staff. This will demonstrate your commitment to starting and maintaining your security awareness program—and everyone will be on the same page.

It could be a client asking for an “urgent” wire transfer. It could be someone from Microsoft informing you that you need to “upgrade” your system. These seemingly legitimate requests tend to catch us off guard.

Scam artists like these (aka social engineers) prey on human weakness. If your firm isn’t prepared for fraudulent phone scams, anyone who answers the phone could be the weak link that opens up your business to a breach.

To help defend against phone scams, integrate social engineering prevention into your phone training, or lead a role-playing training session where one person is the con artist and the other is on the receiving end of the call. Plenty of scripts can be found online.

In another sense, pay attention to what you’re downloading to your phone. Mobile malware is on the rise, and 99.9 percent of it is hosted on third-party app stores. It might be wise to have a smartphone strictly for business use or to have a policy in place preventing employees from storing any client information on their phones.

Did you know that most cyber attacks start with phishing (i.e., scam emails)? Although there have been advances in spam filters and antivirus software, the most effective means of teaching your staff is to show them real-life examples.

Check your junk folder and share screenshots with staff (on Windows, hit the Print Screen button). Just be sure not to forward the actual email, as that increases the chances of someone clicking on a bad link. You could also turn a slideshow presentation into a game. Ask your staff to spot x number of warning signs—or which emails are real or fake. Small rewards can incentivize your staff.

In recent years, various security education software programs have been developed that provide security training content (e.g., interactive games, presentations, and videos). Some programs also include simulated phishing tools, which allow you to generate fake phishing emails, send them to your staff, and then generate reports on who clicked and who didn’t. This data can help you get a baseline of your firm’s security awareness, and you can use it again later to evaluate if your training is effective.

Remember: Software cannot replace your plan. It helps provide content, but it’s up to you to make that content fit into your plan.

These days, it’s not hard to find information security news. An RSS feed is a great tool for aggregating various security news sources. When you see something that relates to your practice—whether it’s about software your firm uses or the smartphone a staff member has—share it. You could also compile any major headlines into a monthly or quarterly newsletter. It may start a conversation or alert staff to something they didn’t know. Either way, it will help keep security top of mind without interrupting their workday.

A technical treatise on encryption isn’t going to make an impact, but a funny, one-sentence poster by the coffee machine might. Keep these pointers in mind:

• Think about ways to make training interactive and engaging.
• Think outside the box.
• Try what hasn’t been tried before—because that’s exactly the kind of thing people are going to remember.

It’s important to know that you’ll likely come across “shock value” material when researching content for your program. Remember, security awareness is not about paranoia. It’s about adopting secure habits so that dealing with these threats becomes second nature. Your tone can make or break your message. Keep it light, informational, and fun.

The last thing you want to do is create “noise” that your staff hears but doesn’t listen to. For example, if you follow Tip #6, don’t share an article every day. Shoot for weekly or monthly—and share only topics that would concern your staff personally.

In a nutshell, the most effective security solution is training. You want your staff to recognize attacks and make the right decisions, but you don’t want to give them so much information that you overwhelm them. Using the tips discussed here, you’ll be on your way to creating and maintaining a steady and effective security awareness program.

Have you tried any of these ideas in your firm’s program? What worked best, and what was less successful? Do you have any other methods of keeping your staff educated and up to date with information security news? Please share below!