A Proper Security Awareness Program, how do you create and run one?

Posted on

The snow is falling, there are lights in the trees, family and friends are coming over for a great meal.  You are at work doing some last-minute online shopping for that perfect gift, when you receive an email telling you “click here.”  You click on the link and then you notice that your computer starts running slow, you call the IT department and they inform you that you just got infected with malware or worse yet, ransomware.

This that time of year when criminals increase their attacks, using social engineering to try and gain access to your company’s information and network or spread ransomware to hold your company’s information for ransom at a high price.  The attackers know that people are distracted from their normal vigilance by the ease of online shopping and therefore they will be able to get at least one person to click on their email.

How do you create a proper Security Awareness Program and run it?

I have worked with companies of all sizes that have tried to create a proper program to protect their company from attackers.  There are two examples that stand out to me of what to do and what not to do.

What not to do:

           One company’s Information Security (IS) department tried to create one where they penalized the end user for falling for a phishing test, they would play a gotcha game rather than trying to teach the end user what to watch out for or how to spot phishing.  The end users told me that they tried to get more information about phishing from IS, at which point the CISO said they didn’t have time to train the end users.

What to do:

           We have to remember that the end users are our first line of defense in protecting the company from attackers. You want to make sure to give end users the right information and proper understanding so that they can go into this battle well-trained and protected.  You want your end users to feel comfortable to report if there was an attack and if they fell for it.  When you build and run a proper security awareness program, you will decrease the rate of end users falling for a test or even worse, a real attack.

Items needed to build a proper security awareness program:

  1. Executive buy in
  2. Defined training media (Videos, PowerPoint, In Person)
  3. Training occurrence (Yearly, Bi-Yearly, Quarterly)
  4. Baseline of current end users understanding of security awareness
  5. Proper tracking of the program
  6. Time to work with end users to teach them security

By following an effective program, you will see that end users will be more adept at protecting the company from attacks.  Solid training benefits not only the work environment, but also empowers the end users to be more vigilant at home, protecting them and their family from attacks aimed at their information/computers.

Here at Think Security, we have worked with companies to develop anti-phishing programs that are well-suited to their dynamic.  If you would like to know more, please contact us to discuss the ways that we can meet your unique needs.




Leave a Reply

Your email address will not be published. Required fields are marked *