Information Security Training: Are we doing things in the right way?
2013 is going to witness major challenges in Information Security – predicts many!! Security risks continue to affect the businesses across the globe irrespective of the location, size, nature of business & business practices either intentional or unintentional. Mobility – increased use of mobile devices, removable media, social networking, remote working and so on – offer their challenges to safeguard the information. Cloud and increased share of third party providers in the business processes also complicate the issues – without boundaries!
In order to safeguard the information assets – read ‘data’- in the backdrop of numerous data breaches that are reported somewhere in the world almost daily, management needs to focus on information security programmes. The programmes should be focused on improving the people awareness and adopting a common set of best practices aimed at protecting sensitive data. The risks are multiplied with the rapid expansion of mobile devices at individual level and their adoption at work place combined with the negligence levels of people towards information security – knowingly or unknowingly. despite the best efforts of the information security professionals, people are by and large unaware of the legal, financial, reputation losses of data breaches.
In the organizations where training is imparted to the users, the information security training is barely sufficient, reveals a survey conducted by protiviti. The observations of Protiviti are:
People who lose sensitive information, for instance, could put their companies at risk of large fines, uncapped liabilities or future loss of earnings. While levels of information security training have increased in the UK, we at Protiviti have observed that much of the training does not effectively convey these consequences – it is only when a breach happens that reality dawns on people.In our opinion, despite increased levels of training at both financial services and non-financial businesses, the training is often too basic, simply a box-ticking exercise, or worse, giving them a false sense of security.
We recently surveyed 1,000 individuals across a range of UK businesses and levels of seniority, and found that 81% of respondents believed they had an average to excellent understanding of modern IT security and risks within their company.
However, we also surveyed – separately – senior information security and risk professionals working across a range of UK firms, and they said the opposite. Key information security messages are still not getting through to significant numbers of employees, and that good information security practices are still not embedded in the risk culture and consciousness of employees at many UK businesses.
According to senior security and risk professionals, around two-thirds (61%) of employees actually have a generally low level of understanding of security risks and fail to put into practice effective procedures they have been taught in training. Almost three-quarters (71%) thought employees had a poor understanding of the positive role they could play in reducing security risks and a majority (57%) said they had noticed no change in employee behaviour after completing security awareness training.
We also found that almost four in 10 office workers said they had never had security awareness training. This figure increases to over half (52%) if you only look at non-financial-services organisations. Further, of those that have had training, a third (32%) have only had training in the past 12 months, which is too small a number given the speed with which new information security threats emerge (regular changes and updates to privacy settings on Facebook being one example).It is important not to overtly disparage current training initiatives. Many firms have excellent processes in place, and many respondents to the Protiviti survey report have made significant changes in the way they work and how they use technology at home following security awareness training.
Asked, for instance, how they had changed their behaviour after completing security training, 55% of employees said they had become more careful where they leave laptops, phones or USBs, 46% had become more wary of using emails and 37% said they had become more aware of comments and photos posted on social media sites. There is, therefore, value in training, provided it is effective. More needs to be done, however. for training to be effective, it needs to be tailored to the roles of employees, and many organisations need to review both the nature and frequency of their training.
Reporting security breaches and near breaches is one good way to help improve awareness – indeed, in light of the findings from Protiviti’s studies, the following points are particularly important:
- Training needs to be done on an ongoing basis. It should not be a ritual conducted once a year or two, for the sake of compliance.
- Users need to be informed of content of the Information Security Policy. The essence of the awareness training is to enlighten users on what to look out that could lead to attacks by the wrong guys.
- Online training and feedback on training in the form of an online test would be effective, periodically reminding the people and allow them to learn at their own comfort and place.
- Training needs to be tailored to meet the specific requirement taking examples form the work place and employee experience rather than focusing mostly on general guidelines. Simulation would be effective in assimilation of training inputs.
- Encourage people to be creative and appreciate the security concerns. Solutions need not be stereotypes but people should be encouraged to be innovative. This approach would strengthen the bonding with people.
- People need to be made accountable for the offences and any violations should be escalated to the top management and punished with more training.
- Training should be considered at every major event affecting the business be it expansion, merger, introduction of new processes or technologies, opening of new offices and business units, organizational change programmes and so on.
- Never confine the training to the information security administrator. Business units and functions should appreciate and actively take part in the training programmes, creating awareness of the users on the respective business unit or function.
- Consider involving external professionals who would bring with them rich experience, cross functional knowledge, global trends and relevant case studies. This learning about other organizations would create interest in the employees.
- Review the outcomes of training in terms of improved security awareness which in turn can be seen from the password change frequency, use of external devices, reporting of security events and so on.
- The philosophy of security should be more positively oriented to enable people differentiate between “good” and “bad” practices and adopt rather than follow strict set of rules that are monitored by someone else.