October is National Cybersecurity Awareness month! Pandemic or not, the clock continues to tick, and our need to be vigilant is more significant than ever.
Numerous cybersecurity and information security priorities vie for our constant attention. Empowering your users with knowledge and awareness of the critical role they play in information security cannot be overlooked; when attended to, it can pay large dividends. Users need to realize their responsibilities in keeping our information and systems safe and secure. Our job as IT leaders is to help them grow in understanding and practicing safe, secure digital habits.
People are not the weakest link—they are the primary attack vector. We can reduce this human risk by changing human behavior. One effective way to change behavior is to leverage an awareness and training program.
The distinction between training and awareness is often confused. Training is primarily active, and awareness is generally passive. And there can be overlap!
- Training: To teach skills that allow a person to perform a specific function
- Awareness: To focus an individual’s attention on an issue or a set of issues
Types of training might include classroom, online, and one-on-one. Emailed information, visual aids (e.g., posters and infographics), and email phishing campaigns are often used to increase awareness. The awareness messages can also be considered training. I tend to use a blended model by focusing first and predominately on recurring awareness activities, allowing any associated training to flow naturally from there. Email phishing campaigns, emailed tips, and infographics are most effective in our environment.
Awareness and training messages are most impactful when a user can connect with them personally. The power of simplicity cannot be overstated. Statements must be simple, to-the-point, and easily actionable. Positive, action-orientated, succinct messaging that explains why a policy or process is important is much more engaging and effective. Using negative and fear-based messaging can turn people off, and relying upon overly technical language can lead end-users into feeling that the messages don’t apply to them.
Security awareness training is never a one-and-done exercise. Regular exposure to varied security topics using multiple media is ideal. Measurement is essential, whether through phishing test trends, formal training assessments, or network anomaly statistics. We must assess our programs and adjust them to deliver training and awareness where it is most impactful.
Core topics for security awareness training might include:
- Social engineering*
- Email/Phishing scams*
- Passwords (passphrases)
- Multi-Factor/Two-Factor Authentication (MFA/2FA)
- Ransomware and Malware
- Physical security
- Desktop security
- Removable media
- Wireless networks
- Data privacy
- Home, IoT, and personal security
* Social engineering in cybersecurity is the psychological manipulation of people into performing actions or divulging confidential information. This topic, closely coupled with Email/Phishing scams, is most critical. Candidates for a social engineering attack can range from a district administrator to an elementary school student. This type of attack can victimize even the most seasoned IT expert. The vast majority of cyber-attacks rely on social engineering, and most are done via email. Even the most sophisticated technology cannot stop them.
In addition to digital awareness and training methods, old-school methods can also be very effective. You may find it eye-opening to walk around the building looking for exposed passwords, unlocked computers, and other potential physical security risks. We often focus so heavily on the hi-tech digital realm that we forget about the significance of basic physical security. When we do find something in question, our intent is never to shame or call out an individual, but rather to make it a learning opportunity by increasing awareness and changing behavior.
Although CoSN does not endorse or recommend particular vendors, products, or services I have included a few links to entities offering some level of free resources that may be of interest to you as you begin to learn more about various security awareness and training approaches.
Awareness Resources
- Email Safety & Security – Best Practices (I created this resource for our staff over three years ago; I still distribute it periodically as a reminder; staff has told me they’ve shared it with family members as well!)
- National Cybersecurity Alliance – Staysafeonline.org
- SANS – Cybersecurity Awareness Month toolkit
- SANS – Security awareness phishing tools
- S2Me – Free tool for users to self-assess their cybersecurity and safety habits
Training Resources