Although much progress has been made in improving security awareness in organizations, there is still work to be done to achieve maturity. Organizations that do not have a security awareness program need to look seriously at strengthening this aspect of their security defense system and protect their information resources. All users should be aware not only of what their roles and responsibilities are in protecting information resources, but also of how they can protect information and respond to any potential security threat or issue. Security awareness programs address the need to educate all people in an organization so they can help to effectively protect the organization's information assets.
Technical controls can provide substantial protection against many threats, but they alone do not provide a comprehensive solution. Technological methods of protecting information may be effective in their respective ways; however, many losses are not caused by a lack of technology or faulty technology but rather by users of technology and faulty human behavior. It stands to reason then that people not only can be part of the problem, but also they can and should be part of the solution. People must be an integral part of any organization's information security defense system.
Management awareness, commitment, and support are common reasons for security awareness training not being conducted. Involving top management and getting their support is essential in building a strong security awareness program that employees will take seriously. If management commitment is increased, and the security awareness goals and message are communicated clearly and often, progress and improvement can be made in creating a security culture.
Polices are essential
Security awareness training needs a foundation of policies. Although most companies today do have security policies in place, they need to have specific policies in place for incident reporting, disaster recovery, and social engineering. These policies are extremely important and should be included within an organization's information security program. Once they are developed, it is crucial that employees receive training on these topics.
Assessment and measurement
Assessment of security awareness programs and training is another area that should be strengthened. Assessment needs to occur periodically so that the program can accommodate the changes and new security issues that arise in such a dynamic environment. Measurement not only can reveal whether the awareness program is effective, but also can help to identify any knowledge gaps and ensure the continuity and improvement of the overall security awareness program. Surveys, interviews, tests, and audits are a few of the more common assessment tools that can be used to measure progress. Assessment and measurement are necessary tools to provide feedback to make adjustments in the security awareness program and to provide a baseline from which to evaluate the program. It is difficult for organizations to improve or even know whether their security awareness training and programs are effective if they do not measure it. Assessment and measurement help determine whether program objectives have been met and whether progress has been achieved in raising the security awareness of users. Social engineering testing is an example of a successful method that can be used to measure the effectiveness of an organization's security awareness program. Social engineering attacks against unsuspecting individuals are a type of security threat that can result in significant data loss. Social engineering attacks are increasing and although these types of attacks can be just as lethal for organizations as other attacks, they receive less attention within organizations. Social engineering policies and training should be developed and implemented.
Management buy-in, establishing policies and updating them regularly, identifying and communicating the security awareness goals and message clearly and often, and performing assessments are crucial to a successful security awareness program. By implementing some of these changes, organizations can achieve higher levels of security awareness maturity and benefit from a stronger security culture.
Pamela Mitchell is the Senior Security Analyst (and Security Awareness Program Manager) for CA State Compensation Insurance Fund and owner of SecAware, specializing in Security Awareness Program development for small business.