Security risks are an issue for any IT organization, but the risk increases dramatically when the employees of the organization do little or nothing to prevent these issues. Worse yet, many employees are unaware that they are the ones causing security issues in the first place. Linda Musthaler sees these issues and offers advice on how creating a “human firewall' will decrease the security issues within a company. Musthaler bases her findings on a report called Global State of Information Security 2013. This report details security weaknesses. It was found that only 29% of employees were said to be aware of cyber risks, yet 68% said that their organization at at least one if not more security incidents within the last year. As Musthaler notes, clearly there is a block between noticing the risks and doing something about it:
Traditional approaches to employee education just aren't working when it comes to IT security training. When workers sit in a classroom and view one PowerPoint slide after another, they aren't really learning the subject as they need to. The lesson is out of context with the real work environment. The class is often boring and too long. When there's no active participation or interaction with real computing situations, the lessons don't sink in. The key to effective employee security training is to use learning science principles. In other words, throw out the boring slideware and use tools and techniques that let people learn in a way that is scientifically proven to allow them to absorb and retain more of the content.
Musthaler suggests five techniques to keeping security in check. Prioritizing and focusing is the first of these techniques. When training a team, more than one training session is often needed to allow enough time for employees to get hands on experience with different cyber security issues. Customizing the training program to include individual sections of email, mobile devices, passwords, and so on will allow realistic goals to be set.
Working a little bit of security training into the each work day will allow for “teachable moments.” Think of these moments as fire drills for security risks. When you, as Musthaler puts it, make the information “digestible,” you will find greater ease in implementing these practices when the security issue is no longer a drill. In that vein, Musthaler's third techniques is to keep your employees coming back for more. Many security training platforms use video games to engross the employee. The more excited everyone is about learning, the more they will actually absorb.
It is not all fun and games however. You want to make sure all of this training will yield results. Keeping your employees on their toes with tests and compliance checks will highlight any employee who may not have benefited from training. Continuing to adapt is the final, and possibly most crucial, technique that Musthaler offers. Security risks are constantly changing, so it is important to be aware of what may be developing before it happens. By building a “human firewall,”you should see the number of incidents drop dramatically.