I read an interesting article on Dark Reading The Human Firewall: Why People are Critical To Email Security and thought it struck a common theme I see with many clients.
There is constant stress on the “NextGen” controls that can be put in place to serve as an Organization’s silver bullet, yet employee awareness training is often left as a compliance checkbox to complete once a year. We can’t expect every employee to be a security expert, but we do need to plan for control failure. Part of the planning includes layered controls, avoiding the proverbial basket of eggs.
The most successful programs I have seen in place are not the annual slide deck that never changes, but are continuous, and vary in content and medium. Things like a periodic lunch and learn to teach employees some of the basics to protect themselves at home will carry over to more secure practices at work. These successful programs also reward proactive employees, and use periodic tests as teachable moments, and not solely as a witch hunt. I have seen Organizations tracking these proactive employees, and rewarding them through various announcements, gift cards, etc.
While we security professionals do this for a job, we need to put ourselves into the end user’s shoes, and realize this is often the last thing on their mind. We need to work to make security a natural habit for them, without overburdening them with what they see as more “busy work”. Using various tactics to disseminate security knowledge can help enforce these practices in the end user’s daily life.
As always, I am interested in your feedback. Feel free to reach out on any of the social networks below!