8 Tips for Developing a Security Awareness Program
by Commonwealth Financial Network
When you hear the words âinformation security,â firewalls, antivirus programs, and multifactor authentication may come to mind. But what you might not think about is the one major vulnerability that every security system has: people.
Obviously, people make mistakes. They can be manipulated or duped. Some of us donât always have the best intentions (think: disgruntled ex-employees). Unfortunately, you canât program people. So, whatâs the best way to âpatchâ this human vulnerability?
Here, weâll discuss eight tips for developing a security awareness program, so you can help keep your firmâs information safe from âhuman exploits.â
Strong security starts with policiesâthe rules that govern whatâs safe and what isnât. They should address all the security concerns and practices of your business, including how to encrypt emails, laptops, and mobile devices; authenticate a client; and shred documents. Youâll want to post policies where your staff has easy access. Plus, be sure to give your policies a quarterly or annual review to ensure that they remain relevant.
The devil is in the details, and information security is no different. Simple best practices can make a big difference in keeping your business and information safe. Consider including the following in your program:
- Require employees to change their passwords every 90 days.
- Set up a virtual private network for employees to access when working from home.
- Ensure that all business laptops, desktops, and servers have up-to-date antimalware and spyware.
- Enforce a detailed smartphone policy that requires full-device encryption and passcodes and does not allow employees to store any business-related information on their phones.
- Apply software updates in a timely manner.
- Employ a system that automatically encrypts all outgoing emails, and limit personal messages to employeesâ private email accounts only.
- Keep a backup of all information on company devices.
- Have a process in place for employee termination that includes changing all passwords the employee may know and collecting all company property, keys, and passes in his or her possession.
Keep in mind that the training you provide should enforce the policies and best practices youâve adopted. This will give your staff a reason for why certain practices are followed and give your security awareness program direction.
To be effective, a training plan should address both onboarding training and continual reinforcement. That way, new hires will understand your firmâs security practices from the get-go, and seasoned employees will have the benefit of regular reinforcement of secure habits. Here are a few steps you might take to get started:
- Write down your goals and how you plan to achieve them.
- Create a calendar of when different phases of your training will take place.
- Share this information with your staff. This will demonstrate your commitment to starting and maintaining your security awareness programâand everyone will be on the same page.
It could be a client asking for an âurgentâ wire transfer. It could be someone from Microsoft informing you that you need to âupgradeâ your system. These seemingly legitimate requests tend to catch us off guard.
Scam artists like these (aka social engineers) prey on human weakness. If your firm isnât prepared for fraudulent phone scams, anyone who answers the phone could be the weak link that opens up your business to a breach.
To help defend against phone scams, integrate social engineering prevention into your phone training, or lead a role-playing training session where one person is the con artist and the other is on the receiving end of the call. Plenty of scripts can be found online.
In another sense, pay attention to what youâre downloading to your phone. Mobile malware is on the rise, and 99.9 percent of it is hosted on third-party app stores. It might be wise to have a smartphone strictly for business use or to have a policy in place preventing employees from storing any client information on their phones.
Did you know that most cyber attacks start with phishing (i.e., scam emails)? Although there have been advances in spam filters and antivirus software, the most effective means of teaching your staff is to show them real-life examples.
Check your junk folder and share screenshots with staff (on Windows, hit the Print Screen button). Just be sure not to forward the actual email, as that increases the chances of someone clicking on a bad link. You could also turn a slideshow presentation into a game. Ask your staff to spot x number of warning signsâor which emails are real or fake. Small rewards can incentivize your staff.
In recent years, various security education software programs have been developed that provide security training content (e.g., interactive games, presentations, and videos). Some programs also include simulated phishing tools, which allow you to generate fake phishing emails, send them to your staff, and then generate reports on who clicked and who didnât. This data can help you get a baseline of your firmâs security awareness, and you can use it again later to evaluate if your training is effective.
Remember: Software cannot replace your plan. It helps provide content, but itâs up to you to make that content fit into your plan.
These days, itâs not hard to find information security news. An RSS feed is a great tool for aggregating various security news sources. When you see something that relates to your practiceâwhether itâs about software your firm uses or the smartphone a staff member hasâshare it. You could also compile any major headlines into a monthly or quarterly newsletter. It may start a conversation or alert staff to something they didnât know. Either way, it will help keep security top of mind without interrupting their workday.
A technical treatise on encryption isnât going to make an impact, but a funny, one-sentence poster by the coffee machine might. Keep these pointers in mind:
- Think about ways to make training interactive and engaging.
- Think outside the box.
- Try what hasnât been tried beforeâbecause thatâs exactly the kind of thing people are going to remember.
Itâs important to know that youâll likely come across âshock valueâ material when researching content for your program. Remember, security awareness is not about paranoia. Itâs about adopting secure habits so that dealing with these threats becomes second nature. Your tone can make or break your message. Keep it light, informational, and fun.
The last thing you want to do is create ânoiseâ that your staff hears but doesnât listen to. For example, if you follow Tip #6, donât share an article every day. Shoot for weekly or monthlyâand share only topics that would concern your staff personally.
In a nutshell, the most effective security solution is training. You want your staff to recognize attacks and make the right decisions, but you donât want to give them so much information that you overwhelm them. Using the tips discussed here, youâll be on your way to creating and maintaining a steady and effective security awareness program.
Have you tried any of these ideas in your firmâs program? What worked best, and what was less successful? Do you have any other methods of keeping your staff educated and up to date with information security news? Please share below!
 Commonwealth Financial Network is the nationâs largest privately held independent broker/dealer-RIA. This post originally appeared on Commonwealth Independent Advisor, the firmâs corporate blog.
Copyright Š Commonwealth Financial Network
