Editor’s Note: We’re excited to introduce Paul Armstrong of Q11 Protective Services and Chris Chapeta of Bastion Security. Office Ninja Tasha A., introduced us to Paul and Chris after her company used their services. Over the next few months, we’ll be posting a series of articles from these security experts to educate and inspire safer and more effective security around your office.
This week, Paul teaches us about why it’s so important to properly train all employees in security awareness and how you can help make that happen!
Question: Can a 15 pound Corgi dog be used to implement a company wide security awareness campaign?
Before I answer that, let me share a few facts.
One of the best ways to ensure employees will not make costly errors in security is to institute a company-wide security awareness training initiative.
In the 2014 U.S. State of Cybercrime Survey by PricewaterhouseCoopers, 42% of respondents said security education and awareness for new employees played a significant role in deterring potential attacks. The financial value of employee awareness was also compelling, as the report found that companies without security training for new hires reported average annual financial losses of $683,000, whereas companies with training reported average financial losses of $162,000.
I bet I can predict your thoughts and reservations: “We don’t have that type of security culture at our company. We are a fun and innovative company and don’t want to become ‘corporate.’”
Fair point. Even in security, there are three things you never talk about—religion, politics, and security awareness training. So how do you turn a bug into a fix? How do you engage the state of minds of your employees?
One answer: Make a security awareness video using a dog as the leading actor.
The Corgi Story
This is actually a true story for one company that I worked with. All around the campus you could hear employees watching the Mission Impossible style video of the security watchdog finding and remedying various security breaches it caught people committing in the office. Yes, a false paw was used to screen lock a computer it found unattended and yes, it took 8 hours to make the 3 minute video which involved cleaning up its potty mess twice. But it worked. In fact, it worked so well that the video was shown at every New Hire Orientation and Annual Awareness Training.
So whatever rocks your boat! Other more conventional methods include classroom style training sessions, security awareness website(s), helpful hints via e-mail, posters or even sponsored happy hours.
For most companies though, it’s not a decision between training and no training. In many industries, regulatory compliance mandates some form of security awareness training for employees.
How Much Training is Enough?
With the list of companies suffering data breaches growing steadily every company (large and small) should cover the following topics in New Hire and Annual Trainings (with a test quiz):
- Security Policy, Review, and Ratification
- Business Continuity Management
- Asset Management
- Access Control / Passwords
- Fair Dealing
- Phishing / Spyware / Trojans
- Confidentiality and Disclosure
- Physical and Environmental Security
- Reporting Illegal or Unethical Behavior
- Communications and Operations Management
- Mobile Acceptable Use
So why is it important for everyone to have this training? Some people believe that employees should be allowed to do whatever they need to do for their job and that it’s the IT department’s job is to create an environment with technical controls in place to protect them.
The fact is that even with all the technical controls in the world to prevent attacks, every employee shares responsibility in keeping their company secure. By being fully aware of potential attacks and how they can prevent them, every employee will be equipped to keep your company safe.
Know this—security is not siloed anymore, and everyone needs to work together on common business and security goals. So the next time you walk around the office ask yourself this. How secure is your company?
Does your company have Security Awareness Training? How effective do you feel it’s been?