How to Implement a Security Awareness Program at Your Organization
Security isn’t just a technical problem. It’s also a people problem, and keeping the people side of the security equation strong requires that all people in your organization have an awareness of security. This is why security awareness programs are so important.
The goal of a security awareness program — as you may have guessed — is to increase organizational understanding and practical implementation of security best practices. A program like this should apply to all hires — new and old, across every department — and it should be reinforced on a regular basis.
Here’s what you need to know to create a first-class security awareness program at your organization.
What Is a Security Awareness Program?
A security awareness program is a way to ensure that everyone at your organization has an appropriate level of know-how about security along with an appropriate sense of responsibility.
The way we see it, the first line of defense in any security posture is your controls: how you enforce security best practices and prevent successful compromise. The second line of defense is detection: how you catch attacks or attempted breaches, or how you know whether your controls are working. The third line of defense is your people: how aware they are of security and what they are doing to avoid being a weak link.
A good security awareness program should arm your third line of defense by educating them about the first and second lines and giving them the tools they need to do the right thing day in and day out.
Security awareness programs are important because they reinforce that security is the responsibility of everyone in the company (not just the security team). Below, we’ll explain how to set up a program and how to maintain it over the long haul.
What Belongs in a Security Awareness Program?
A security awareness program should have four key components. You can think of them as the Four Cs:
Communication
Security needs to become a regular part of the conversation at your organization. This means that upper management must regularly communicate to all employees that security is essential to running the business. This can take the form of company-wide emails, presentations, brown-bag lunches, or some combination of the above. The key is to make sure that communication is clear, regular, relevant, and interactive (read: not boring).
Checklist(s)
Next, there needs to be a checklist — or a series of checklists — that you can use to make sure that security awareness practices are being actively spread throughout your organization in a systematic manner. This will help your company stay organized when it comes to developing, delivering, and maintaining a security awareness program. This checklist could include:
- What to do when a new hire starts (and when an employee leaves)
- When and how often to remind employees of security protocols
- What to do when an incident takes place
- How to communicate with customers or partners in the event of a breach
Content
You also need to have a cache of relevant content about security that your employees can refer to when needed and that you can use when training and communicating about security with employees on an ongoing basis.Depending on your organization’s structure, management style, and unique security requirements, this could include:
- A security handbook (this can be a PDF sent to all employees or part of an intranet)
- Role-based guidelines (e.g., what each team needs to know about security)
- Training programs (both for new hires and ongoing employee education)
- A special chat channel (e.g., #security on Slack) for reporting suspected security issues and getting feedback on any questions employees might have
Controls
As good as your security awareness program is, you are guaranteed to run into an issue at some point. A sales associate will open a malicious PDF attachment, a PM will plug a malicious USB drive into their computer, and someone in Finance will fall for scam emails. Controls are the guardrails to prevent the car from flying off the road, ensuring that people and systems are only able to do what their roles dictate and only with the appropriate approval. For example, while you might have “the most locked down platform ever”, what controls does your organization have in place to ensure that a malicious actor can’t simply call your support team and request an account change?
How Frequently Should an Organization Conduct Security Training?
There are three times when it is vital to offer security training to your employees:
- When they join the team
- After an incident occurs
- At regular intervals throughout the year
Each of these moments offers a different opportunity to train employees on specific aspects of security or to offer them real-world examples of what to do and not do (e.g., in the case of phishing or W2 scams). If you can plan ahead, you can develop the right types of training for the right times.
Onboarding
When someone joins your team, you need to give them an overview of how your organization handles security and why you take it seriously. This means going over the people, processes, and technology that are most relevant to their job functions when it comes to security. You want to spend time focusing on general policies and on role-specific information that will help new employees do their jobs more effectively.
Specifically, we recommend that you set up one-on-one or cohort training for new employees. This can be delivered via an engaging, interactive presentation where you go over the key security principles and tools they will be using and those they should be aware of. Following this, you can “quiz” them to test out their new knowledge.
SANS offers quite a number of security training materials that you can browse from and select what makes the most sense for your organization.
Post-Incident
If a security incident occurs at your organization, this can be a good time to offer a refresher course. Let’s say someone at your company falls for a phishing email. Instead of laying blame, think of this as an opportunity to analyze an actual issue that arose and show how it can be avoided in future.
To begin, you will want to communicate about the breach to your team (or part of your team). Before doing this, it’s a prudent idea to consult legal counsel so that you approach communication in a manner that is both legal and appropriate for the given circumstances. This communication will inform your employees about the incident so they can avoid falling prey to the same or similar ones in the future (in the case of something like a phishing email). This is particularly important if you are dealing with a targeted attack (e.g., someone pretending to be your CEO.)
Next, you’ll want to examine what exactly went wrong. What pieces of information did your team not have (or forget along the way) that would have helped them avoid the situation? How can you better educate them for the future? With this information in hand, set up an all-company meeting where you can review best practices for these types of incidents. Make sure that you don’t place blame, but instead focus on the attack vector and how others in the organization can avoid falling victim to the same type of attack.
Ongoing
Beyond specific post-incident training content, you’ll want to set up an ongoing training program. This could take the form of Lunch and Learns (which we hold here at Threat Stack) or even pop quizzes that are emailed out on a regular basis (e.g., quarterly). The idea here is to set up a curriculum that covers the most common security threats (this will change over time as new ones come to the fore) and that keeps security top-of-mind through a regular cadence of education and awareness.
You’ll also want to keep the lines of communication as open as possible, since the best time to learn is typically when someone has an immediate question or concern. Whether that means setting up a dedicated security channel in Slack where team members can share suspicious activity or ask questions or just having an open-door policy for your security team, make sure that everyone feels comfortable asking questions and getting answers when needed.
Security Maturity Requires Ongoing Training
Training, like many aspects of security, is not a one-and-done activity. You need to bake it into all aspects of your organization until it becomes part of the organizational culture. When new hires start, it’s vital that they receive training that will help them do their jobs securely and set the tone for how seriously your company takes security.
From there, ongoing post-incident and periodic security trainings will help to keep it top of mind. Security training is an ongoing process that you will need to modify and amend as your organization grows and changes. That’s part of ensuring that your security posture is as mature as it can be, even as your company and security landscape grows and evolves.