The Importance of Security Awareness Training
Editor’s Note: We’re excited to introduce Paul Armstrong of Q11 Protective Services and Chris Chapeta of Bastion Security. Office Ninja Tasha A., introduced us to Paul and Chris after her company used their services. Over the next few months, we’ll be posting a series of articles from these security experts to educate and inspire safer and more effective security around your office.
This week, Paul teaches us about why it’s so important to properly train all employees in security awareness and how you can help make that happen!
Question: Can a 15 pound Corgi dog be used to implement a company wide security awareness campaign?
Before I answer that, let me share a few facts.
One of the best ways to ensure employees will not make costly errors in security is to institute a company-wide security awareness training initiative.
In the 2014 U.S. State of Cybercrime Survey by PricewaterhouseCoopers, 42% of respondents said security education and awareness for new employees played a significant role in deterring potential attacks. The financial value of employee awareness was also compelling, as the report found that companies without security training for new hires reported average annual financial losses of $683,000, whereas companies with training reported average financial losses of $162,000.
I bet I can predict your thoughts and reservations: “We don’t have that type of security culture at our company. We are a fun and innovative company and don’t want to become ‘corporate.’”
Fair point. Even in security, there are three things you never talk about—religion, politics, and security awareness training. So how do you turn a bug into a fix? How do you engage the state of minds of your employees?
One answer: Make a security awareness video using a dog as the leading actor.
The Corgi Story
This is actually a true story for one company that I worked with. All around the campus you could hear employees watching the Mission Impossible style video of the security watchdog finding and remedying various security breaches it caught people committing in the office. Yes, a false paw was used to screen lock a computer it found unattended and yes, it took 8 hours to make the 3 minute video which involved cleaning up its potty mess twice. But it worked. In fact, it worked so well that the video was shown at every New Hire Orientation and Annual Awareness Training.
So whatever rocks your boat! Other more conventional methods include classroom style training sessions, security awareness website(s), helpful hints via e-mail, posters or even sponsored happy hours.
For most companies though, it’s not a decision between training and no training. In many industries, regulatory compliance mandates some form of security awareness training for employees.
How Much Training is Enough?
With the list of companies suffering data breaches growing steadily every company (large and small) should cover the following topics in New Hire and Annual Trainings (with a test quiz):
- Security Policy, Review, and Ratification
- Business Continuity Management
- Asset Management
- Compliance
- Access Control / Passwords
- Fair Dealing
- Phishing / Spyware / Trojans
- Confidentiality and Disclosure
- Physical and Environmental Security
- Reporting Illegal or Unethical Behavior
- Communications and Operations Management
- Mobile Acceptable Use
So why is it important for everyone to have this training? Some people believe that employees should be allowed to do whatever they need to do for their job and that it’s the IT department’s job is to create an environment with technical controls in place to protect them.
The fact is that even with all the technical controls in the world to prevent attacks, every employee shares responsibility in keeping their company secure. By being fully aware of potential attacks and how they can prevent them, every employee will be equipped to keep your company safe.
Know this—security is not siloed anymore, and everyone needs to work together on common business and security goals. So the next time you walk around the office ask yourself this. How secure is your company?
Does your company have Security Awareness Training? How effective do you feel it’s been?
How can I call Office Ninja’s, I can’t find any phone number’s on this entire site, unless I missed it?
I couldn’t agree more with this article. State-of-the-art security systems can’t help your organization unless your employees understand their roles and responsibilities in the security plan.
Hi Paul,
This article is right on time considering all of the things that are happening around the world right now. I am interested in bringing safety awareness classes to our organization and helping staff and clients feel safe. Can you recommend anyone or websites in the Los Angeles area.
Thank you so much for this article! It is difficult to get people interested and responding to the “usual yearly security meeting”. There are some great ideas here!
Hi Shawn
Glad you found it useful.
Let me know if you need any help or just to brainstorm on ideas.
Best
Paul
Glad to be a connector & ON Ambassador! NerdWallet has been using using Paul Armstrong and Chris Chapeta for the last quarter and we’ve significantly improved our security as well as conducted employee safety awareness classes. We have a set plan for systematic improvements from HR concerns to IPO security prep. I can’t recommend them enough.
Tasha Amaral
Operations Manager, NerdWallet