Sure, you can spend big bucks on packaged awareness programs and learning management platforms that can help you deploy and manage your training efforts and then report on compliance. Like most of you, though, I have a limited budget, and I'd rather devote it to things we desperately need but can't get on the cheap, like modernization of our security event monitoring, advanced malware detection and intrusion prevention.
With security awareness, my two main goals are to satisfy compliance requirements and to change behavior.
Regarding the first goal, my focus right now is attaining PCI compliance. Even though we don't currently meet the transaction thresholds that would mandate that we be PCI-compliant, it's good for business. Many of our customers expect it of us. The PCI framework provides clear guidance regarding security awareness, for both end users and developers, who need to be trained in application security development.
As for the second goal, I believe that the proper amount of awareness training will lead employees to pause before doing things that could put our company, our customer's data or themselves at risk. If my training program keeps just one person from clicking an evil link, sharing sensitive data on Dropbox or using a compromised Internet kiosk, it will be worth the effort.
And certainly worth the cost, since much of what I'm doing only costs my time. For example, I'm writing and emailing quarterly security reminders. That might not be worth my time if this were a huge enterprise, with multiple corporate communications assailing employees every week. But we're small enough that that isn't a problem, and besides, a subject heading like "SECURITY ALERT" grabs attention better than "Company Press Release."
In my most recent email reminder, I explained about phishing attacks: how to spot them, what to do if you detect one and, most importantly, what to do if you click on a questionable link or attachment. Awareness about such things is of paramount importance, since we haven't deployed any advanced malware-detection capabilities and our IT department isn't focused on monitoring the network for malware. We need to do all we can to keep the malware out, and employees are the first line of defense there. That email also discussed best practices related to identity theft.
My next reminder, which will go out within the next couple of months, will look at mobile device security. Here again this is an inexpensive way to address something that we don't have the budget to take on directly, since we have yet to deploy a robust mobile device management tool and are currently relying solely on protections that Microsoft Exchange offers for employees who synchronize their phones through Active Sync.
Another time investment is to take part in our monthly new-hire orientation. I created a set of PowerPoint slides and got HR to give me a 45-minute slot, including 15 minutes to answer questions. The PowerPoint slides are on topics such as avoiding untrusted resources like Internet kiosks and Wi-Fi hotspots, data protection, encryption, passwords, social engineering and physical security (a few of our laptops have gone missing lately). If all goes well, I'll convert those slides into a recording and use them in the yearly training requirement for all employees.
We'll spend a little bit of money on posters, but they don't necessarily have to be created on poster stock, and several free awareness posters can be found with a Google search. And in our case, with just four main offices, distributing and hanging posters in the restrooms and common areas is a cinch. I'll be choosing my first set of posters and pinning them up within the next couple of weeks.
In another tactic similar to putting up posters, I'll be rolling out screensavers that hammer home security messages. It's a little more complicated than hanging posters, of course, and we'll have to do some testing and get IT resources to deploy the screensavers to all of the PCs on our domain using Microsoft Active Directory Group Policy.
The only real money I'll have to spend will be on developer training. We need all of them to be trained on the OWASP Top 10 at a minimum. To ensure quality instruction, I want to purchase some training materials.
The last thing in my current awareness push is to look at a service that can assess the effectiveness of our awareness program by sending out phishing emails to employees and measuring their responses.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.
Click here for more security articles.