Information Security Awareness

Why is it important ?

Learning the art of communicating your message across is very important before you begin distributing your information security awareness ideas.

One human error can deal significant damage even if firewall, encryption, and antivirus software being in place. That's why information security awareness training is so important. You shouldn't try to shove everything in 1-2 hours or one full day – try to deliver constant and frequent small doses of information.

Don't embark on training anyone before reading about social engineering (read "The Art of Deception: Controlling the Human Element of Security") and a couple of books by Dale Carnegie (for example, “How to Win Friends & Influence People”).

Learn a little about “Security Awareness” from those and other books and with the freshly established knowledge go and create the security awareness program in your organization – it will be successful.

it doesn't make sense to purchase posters and training materials from vendors, their effectiveness will be close to zero if you fail to deliver a message properly during the training.

The investment will not be worth it – unless all you’re after is a checkbox in an audit report ;)

Read the books and learn how to positively influence people – things will dramatically change for the better for you and your organization.

Do it and all the posters and e-mails you use, all the meetings, and every conversation you have with every employee who has accidentally slipped for a phishing message will deliver an effective result.

If you can give good examples and actually know what're you talking about... people will believe you and will understand you.

Remember: if you don’t believe and deeply understand your message nobody else will... please, never forget it.

Consider recommending some online/offline video courses to all that wish to learn.

So far the best one I’ve found is developed by IASE DISA (Defense Information Systems Agency)

I consider it to be a golden you should be aiming for.

Voice of experience ?

I most big companies I worked with, Security Awareness training was mandatory for all new hires. It was almost 2 hours long, very detailed, very… boring :)

Guess what people did?

They clicked the Next button on every slide without even listening to what the videos had to say.

In the end, they got a “passed” grade. Please don’t do this, it’s utterly useless. It is not only useless – it is dangerous, just doesn't make any sense.

If your security awareness program is as boring or passing it is as easily fake-able, you are in a situation worse than if you had no security awareness training at all.

Conducting interviews in person with random difficult questions about the material they just watched is one good control – asking them to write 30-60 word descriptions of every topic they just ‘passed’ on the training instead of giving them a-b-c-d style questions is another good control.

That means you would have to review the answers – but consider this as your own visibility into the infosec awareness of your trainees.

If you’re a techie, you could even go to the lengths of developing your own ‘challenges’.

Here is a nice exercise you can perform once in a while.

Prepare a .bat file with scary colors and blinking “You have been hacked” or something of the sort. Compile it to .exe.

With a resource editor, add a Word or PDF icon to it. Give it a believable (very long, to hide the extension) name common for the company culture

Then explain to the victims specifically and to everyone else how to check for viruses in e-mail attachments, how to check file extensions prior to opening, how to upload to virustotal, etc.

It is essential o explain to your fellow coworkers how to recognize suspicious e-mails, how to recognize suspicious links, websites, how to check a link without opening it (for example by pasting it on VirusTotal), etc.

Teach them how to check the real extension of a file and why a file with a double extension malicious in 99.999% of the cases.

Users should also remember to send any suspicious files to the IT Security / Incident Response team for analysis instead of just deleting them.

You should be able to build the infrastructure to support these activities – as moving files via e-mail is dangerous, a simple web form with a file upload box will do an excellent job.