Security awareness training programs should be an essential part of information security endeavors because technology cannot stop all threats, a security professional said Thursday at SC World Congress in New York.
Most people make mistakes because they don't know what they are doing is wrong, said Dennis Devlin, CISO of Brandeis University in Massachusetts.
IT staff must not only train employees about information security but educate them as to why it is important, he said. Education persists longer than training and allows individuals to apply their knowledge to new situations.
“We need to get to the point where it's more natural for people to do things the right way then the wrong way,” Devlin said.
A security awareness training program should be like a marketing effort, he said. Choose a message and brand it, then syndicate the message across various platforms such as email, Facebook, Twitter and the company's website and blog to reach people in whichever format they prefer.
In addition, make security awareness training materials easily accessible from anywhere because employees often do not have time while at work to review them, Devlin said.
Training materials should include information about what the organization is doing around information security but, more importantly, describe what employees can do to advance the effort.
And, training should not be done just once a year, Devlin said.
“Every interaction is a teachable moment,” he added.
Devlin, for example, includes security messages in his email signature reminding individuals not to click on links in suspicious emails and that Brandeis will never ask for a user's password via email.
This simple training strategy has helped at least one person, who told Devlin he almost gave up his password in an email scam, but luckily remembered the message.
One audience member said that to remind users not to leave laptops unattended, he uses the phrase: "Be nice to your laptop. Take it out to lunch.”