8 Tips for Developing a Security Awareness Program
by Commonwealth Financial Network
When you hear the words āinformation security,ā firewalls, antivirus programs, and multifactor authentication may come to mind. But what you might not think about is the one major vulnerability that every security system has: people.
Obviously, people make mistakes. They can be manipulated or duped. Some of us donāt always have the best intentions (think: disgruntled ex-employees). Unfortunately, you canāt program people. So, whatās the best way to āpatchā this human vulnerability?
Here, weāll discuss eight tips for developing a security awareness program, so you can help keep your firmās information safe from āhuman exploits.ā
Strong security starts with policiesāthe rules that govern whatās safe and what isnāt. They should address all the security concerns and practices of your business, including how to encrypt emails, laptops, and mobile devices; authenticate a client; and shred documents. Youāll want to post policies where your staff has easy access. Plus, be sure to give your policies a quarterly or annual review to ensure that they remain relevant.
The devil is in the details, and information security is no different. Simple best practices can make a big difference in keeping your business and information safe. Consider including the following in your program:
- Require employees to change their passwords every 90 days.
- Set up a virtual private network for employees to access when working from home.
- Ensure that all business laptops, desktops, and servers have up-to-date antimalware and spyware.
- Enforce a detailed smartphone policy that requires full-device encryption and passcodes and does not allow employees to store any business-related information on their phones.
- Apply software updates in a timely manner.
- Employ a system that automatically encrypts all outgoing emails, and limit personal messages to employeesā private email accounts only.
- Keep a backup of all information on company devices.
- Have a process in place for employee termination that includes changing all passwords the employee may know and collecting all company property, keys, and passes in his or her possession.
Keep in mind that the training you provide should enforce the policies and best practices youāve adopted. This will give your staff a reason for why certain practices are followed and give your security awareness program direction.
To be effective, a training plan should address both onboarding training and continual reinforcement. That way, new hires will understand your firmās security practices from the get-go, and seasoned employees will have the benefit of regular reinforcement of secure habits. Here are a few steps you might take to get started:
- Write down your goals and how you plan to achieve them.
- Create a calendar of when different phases of your training will take place.
- Share this information with your staff. This will demonstrate your commitment to starting and maintaining your security awareness programāand everyone will be on the same page.
It could be a client asking for an āurgentā wire transfer.Ā It could be someone from Microsoft informing you that you need to āupgradeā your system. These seemingly legitimate requests tend to catch us off guard.
Scam artists like these (aka social engineers) prey on human weakness. If your firm isnāt prepared for fraudulent phone scams, anyone who answers the phone could be the weak link that opens up your business to a breach.
To help defend against phone scams, integrate social engineering prevention into your phone training, or lead a role-playing training session where one person is the con artist and the other is on the receiving end of the call. Plenty of scripts can be found online.
In another sense, pay attention to what youāre downloading to your phone. Mobile malware is on the rise, and 99.9 percent of it is hosted on third-party app stores. It might be wise to have a smartphone strictly for business use or to have a policy in place preventing employees from storing any client information on their phones.
Did you know that most cyber attacks start with phishing (i.e., scam emails)? Although there have been advances in spam filters and antivirus software, the most effective means of teaching your staff is to show them real-life examples.
Check your junk folder and share screenshots with staff (on Windows, hit the Print Screen button). Just be sure not to forward the actual email, as that increases the chances of someone clicking on a bad link. You could also turn a slideshow presentation into a game. Ask your staff to spot x number of warning signsāor which emails are real or fake. Small rewards can incentivize your staff.
In recent years, various security education software programs have been developed that provide security training content (e.g., interactive games, presentations, and videos). Some programs also include simulated phishing tools, which allow you to generate fake phishing emails, send them to your staff, and then generate reports on who clicked and who didnāt. This data can help you get a baseline of your firmās security awareness, and you can use it again later to evaluate if your training is effective.
Remember: Software cannot replace your plan. It helps provide content, but itās up to you to make that content fit into your plan.
These days, itās not hard to find information security news. An RSS feed is a great tool for aggregating various security news sources. When you see something that relates to your practiceāwhether itās about software your firm uses or the smartphone a staff member hasāshare it. You could also compile any major headlines into a monthly or quarterly newsletter. It may start a conversation or alert staff to something they didnāt know. Either way, it will help keep security top of mind without interrupting their workday.
A technical treatise on encryption isnāt going to make an impact, but a funny, one-sentence poster by the coffee machine might. Keep these pointers in mind:
- Think about ways to make training interactive and engaging.
- Think outside the box.
- Try what hasnāt been tried beforeābecause thatās exactly the kind of thing people are going to remember.
Itās important to know that youāll likely come across āshock valueā material when researching content for your program. Remember, security awareness is not about paranoia. Itās about adopting secure habits so that dealing with these threats becomes second nature. Your tone can make or break your message. Keep it light, informational, and fun.
The last thing you want to do is create ānoiseā that your staff hears but doesnāt listen to. For example, if you follow Tip #6, donāt share an article every day. Shoot for weekly or monthlyāand share only topics that would concern your staff personally.
In a nutshell, the most effective security solution is training. You want your staff to recognize attacks and make the right decisions, but you donāt want to give them so much information that you overwhelm them. Using the tips discussed here, youāll be on your way to creating and maintaining a steady and effective security awareness program.
Have you tried any of these ideas in your firmās program? What worked best, and what was less successful? Do you have any other methods of keeping your staff educated and up to date with information security news? Please share below!
Ā Commonwealth Financial Network is the nationās largest privately held independent broker/dealer-RIA. This post originally appeared on Commonwealth Independent Advisor, the firmās corporate blog.
Copyright Ā© Commonwealth Financial Network