Perhaps one of the most overlooked risk mitigation techniques is strength in numbers. Those increased numbers are the people who may have the most impact on your network's overall security; the users. The common misconception amongst all sorts of Organizations is that user's are high-risk, low-impact when it comes to effectively increasing overall security in an Organization's environment. As a result, the network users own less accountability in their responsibility to protect Company assets. This creates an environment ready to be compromised by any willing threat-actor.
The users are the be all, see all. They're responsible for creating shadow IT environments. They're the ones ultimately clicking on the risky links. They're always involved in the systems that may present vulnerabilities at every level of operation. Users are truly the ones that need the education of properly handling incidents and risk avoidance techniques. Let's not confuse the term user with strictly end-users; System Administrators, IT Managers, Software Developers and other IT professions are also at fault. Despite industry push-back that EUAT is less than relevant, the importance of layered security begins with the users of the systems and data you're attempting to secure.
Here are five primary items that will assist you in creating your own culture of awareness regardless of the technological support.
1.Schedule of Events No matter what program is implemented, a standard schedule is often important in creating an environment for user's education to thrive. This method provides a structure of expectations each month, quarter, week or day; whatever communications frequency is appropriate for your teams. The schedule works well if you're able to tie it with a fiscal year based on a monthly newsletter. Predefine the delivery medium and stick to it. Users will respond more willingly if you are able to tie an incentive to the scheduled events such as an additional vacation day or security branded swag.
2.Methods of Delivery
In speaking about the methods of delivering your message, consider the physical locations of your users, the core working hours and their responsiveness to communication methods available. For example: If your marketing department typically distributes a monthly newsletter via magazine or paper, attempt to piggyback on a similar communication. Users that respond to handouts before e-mails will typically spend more average time reading a paper-based pamphlet. EUAT programs can be tailored to fit this type of medium easily and the expense is worth the impact.
This is not to say that e-mail communications should be disregarded entirely. Supplementing with e-mail when a paper brochure is used provides a searchable, indexed reference that uses can recall easily. Regardless of your primary medium, adding an e-mail communication with an attached awareness topic is always warranted.
It's important to note that a thorough end-user awareness program should be a joint effort between InfoSec, IT, HR and Corporate Training. In the event that not all departments are available to create and deploy such an EUAT, there are many 3rd party resources that can help outside of your respective Org.
3.Measuring your success
EUAT programs can be measured based on failure rates. Utilizing the negative impact way of thinking, the steps involved in testing the awareness of a person's or group of people's knowledge of Information Security focus primarily on the response from that particular group. Prior to assuming an appropriate response, it's usually a good idea to train the users in advance. The timing of the training versus the testing is up to you. Once the testing is complete, you should be able to compile a list of failures and successes. Failures will point to those that clicked on a malicious link that has all the key indicators from the training previously discussed. The result in a failure rate is possible re-training, re-communicating the initiative to either the single failure or to the entire group of previously trained individuals. This will allow a complete picture of where the training failed and where user's require additional help in identifying Security compromises.
4.Marketing Meets InfoSec
A breif tie in to the previously mentioned measurements of success; IT in general can benefit from a marketing mentality standpoint towards end-user-awareness-training. EUAT is most effective when it's focus relies heavily on the tendencies of human nature. The truth is, we all have clicked on a bad link at some point in our lives but the key to awareness is the attempt to change that mentality. When an EUAT program ties into a marketing and communication structure, all users (including IT) will respond more thoroughly given a more complete understanding of what they need to learn. Marketing techniques provide the InfoSec product to reach all types of mindsets and can easily be integrated into your EUAT program.
Self-less Plug. You are reading our Company Blog, aren't you? :)
5.When to Call in the Big Guns
By now you're probably wondering "Where would I find the time to put together all of these items and redo every few months"? Here's where an outside consultant can provide value to your program. Companies like Black Bear Information Security, LLC. will talk with your security teams, IT Managers, Directors and C-Level personnel to collectively assist in building an ad-hoc End User Awareness Training Program for your Organization. Not only will this service provide a means and methods to ensure your greatest asset (your people) are more informed, but will improve the Company's poster regarding overall safety, security and well being.