Internet Security Awareness Training
Internet Security Awareness Training (ISAT) consists of the training of members of an organization regarding the protection of various information assets of that organization. Organizations that need to comply with government regulations (i.e. GLBA, PCI, HIPAA, Sarbox) normally require formal ISAT for all employees, usually once or twice a year. Many Small and Medium Enterprises (SME's) do not require ISAT for regulatory compliance, but train their employees to prevent a cyberheist. Internet Security Awareness Training at this point in time is usually provided via online courses. ISAT is a subset of general security awareness Training.
Topics covered in ISAT include:
- Appropriate methods for protecting sensitive information on personal computer systems, including password policy
- Various computer security concerns, including spam, malware, phishing, social engineering, etc.
- Consequences of failure to properly protect information, including potential job loss, economic consequences to the firm, damage to individuals whose private records are divulged, and possible civil and criminal law penalties.
Being Internet Security Aware means you understand that there are people actively trying to steal data that is stored within your organization's computers. (This often focuses on user names and passwords, so that criminal elements can ultimately get access to bank accounts and other high-value IT assets.) That is why it is important to protect the assets of the organization and stop that from happening.
According to Microsoft,
- End User Internet Security Awareness Training resides in the Policies, Procedures, and Awareness layer of the Defense in Depth security model.
- User security awareness can affect every aspect of an organization’s security profile.
- End User Security awareness is a significant part of a comprehensive security profile because many attack types rely on human intervention (Social Engineering) to succeed.
The focus of ISAT is to achieve an immediate and lasting change in the attitude of employees towards Internet Security, making it clear that security policies and Acceptable Use policies are vital for the survival of the organization, and not as rules that restrict the employee being efficient at work.
Security awareness training for employees is one of the most effective means of reducing the potential for costly errors in handling sensitive information and protecting company information systems. Training can be conducted through a number of means and certain approaches are more effective than others:
- The Do-Nothing Approach: The organization conducts no security awareness training and relies on automated systems to protect against phishing and malware.
- The Breakroom Approach: Employees are gathered during lunches or meetings and are told what to look out for in emails, web surfing, etc.
- The Monthly Security Video Approach: Employees are shown short videos that explain how to keep the organization safe and secure.
- The Phishing Test Approach: Certain employees are pre-selected and sent simulated phishing attacks, IT determines whether they fell prey to the attack, and those employees get remedial training.
- The Human Firewall Approach: Everyone in the organization is tested, the percentage of employees who are prone to phishing attacks is determined, and then everyone is trained on major attack vectors. Simulated phishing attacks are sent to all employees on a regular basis.
Security Awareness Training can ensure personnel have a solid understanding of their employer’s security practices and policies. In contrast, an uninformed employee is susceptible to malware, phishing attacks, and other forms of social engineering. They can do substantial harm to an organization’s systems and place its data at risk.
Key aspects of any awareness training program should include the following:
- Train on an ongoing basis. Avoid limiting training to when an employee is first hired or assigned to a new role in the organization.
- Train creatively, not just in a non-interactive class-room setting.
- Look for means to introduce interactivity into the training process.
- Have a means of measuring progress and Phish-prone percentage of employees.
See also
- Access control
- Physical Security
- Security
- Security controls
- Security management
- Phishing
- Social engineering
- Persistent Spear Phishing