As businesses increasingly become targets of security breaches, they are paying more attention than ever to information security.
One of the keys to ensuring quality IT security is to make sure that all employees — not just those in the IT department — understand the security practices in place and why they need to be followed.
Kevin Saucier, a security consultant for the information-security consulting firm Conventus, said educating all employees about IT security best practices is an opportunity to adapt rapidly to changes while protecting assets.
Saucier offers businesses several tips on how to train employees on their organization's security practices:
Show impact: In order to engage employees in IT security, they need to understand its importance. Although just about everyone knows security is important, not everyone understands how this training will impact them and the performance of their jobs. One tip is to discuss current security breaches in the news and break down how little lapses in daily security practices can lead to a massive data breach or denial-of-service attack, which flood company networks with unwanted traffic in an attempt to shut it down for a period of time. Something as simple as explaining why a certain security practice exists in a company is all that is needed to positively engage team members and build a successful training session.
Regular training: Companies often put the onus on the administrator to stay on top of security trends and reports on their own time. Software vendors release fixes and make alterations to best practices on an ever-accelerating basis. However, many companies do not structure their organizations to allow for regular training sessions or the flexibility for professional development on a daily or weekly basis. The companies that embrace an active culture of learning and professional development enable their employees to be proactive against new and ever-evolving security threats. Current and ongoing training can be one of the most effective security controls in which a company can invest.
Expert educators: Few companies ever spend time evaluating the quality of the training their employees receive. The quality of training courses and trainers varies. Very often, timing and cost — rather than the quality of the educational experience — drive the decision of which training vendors companies use. Like any industry, there are companies and trainers that excel at providing quality, effective security training and others that do not. The logic for picking a quality vendor is simple: Quality training leads to quality team members.
Flexible formats: Companies rarely let employees pick the format of security training. It has been proven that people understand and retain information better when they receive training focused on their style of learning. Some people are visually oriented and excel by learning through video and pictures. Some are aurally oriented and excel with lecture-based training. And some are "hands-on" learners. Companies rarely allow employees to pick their training format, which often leads to a mismatch of training format and learning styles. With access to cloud services and broadband streaming, there are many training options available to businesses of all sizes.
No quick fixes: When you're teaching employees about security, it is important to emphasize that exceptions to a standard operating procedure will be quickly forgotten after the stress of a critical system outage fades. There have been countless security issues that have been caused, at least in part, by quick-fix alterations to security policies. At many organizations, the demands of a 24/7 market may force personnel to prioritize "uptime" at the expense of security compliance.
- Security audits: Audits — both external and internal — can be the most educational tool a small business has at its disposal. Far too often, small businesses scramble to meet the standards and criteria of various regulatory agencies and do not stop to consider the total picture of what an audit tells them. It is critical to look at audits as a total measure of how effectively they manage their systems and data. Audits are designed to highlight gaps in policy and procedures, but they can also reveal gaps in training and in-house expertise. Negative audit findings can be symptomatic of larger issues of personnel training. Effective analysis of audit reports should not only highlight gaps in security, but also help small businesses understand why those gaps exist.
Originally published on Business News Daily.