The Generic Blanket Training is not Appropriate or Effect
Every year corporations and businesses go through the annual, employee dreaded security training. Their eyes become glazed over and the staff’s mouths slowly begin to open even so slightly as the physical manifestations of the apathy being to appear.
To simply check the box that the training had been without usability focus is a fallacy of actual security. The training needs to be different from years past. This does create a bit more expense, as other training materials need to be created, however the benefits are far-reaching. Without this in place, there will continue to be instances of ransomware, malware infections, and insider threats.
The current security stance of the bland, one-size-fits-all training needs to change and be updated. The training needs to be personalized for the audience. The security training for the senior management would be vastly different than for the customer service area. Senior management would want to have the overview, possibly news regarding the executive wire scam, training in the near future, and any incidences. The call center would have training focused on the different forms of attacks, specific examples, and their importance in ensuring their role if only providing private information to the appropriate parties.
This approach needs to be proactive. The market and environment is constantly working to find new methods to breach the system or pivot piro methods for the same goal. The infosec team needs to be focused on the new attacks and methods being used, and push this information to the appropriate parties. Waiting for an attack and their completing the research for this is too late. This research may easily be translated into new training opportunities.
There are many alternatives for the CISO to better the information and cybersecurity culture. These should be implemented in a timely manner.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.