- Blog
- September 2009
September 2009
Published on September 28, 2009 by Karen Letain in News
Deliver the right message content to the right audience using the most effective communication channels is imperative when implementing a security awareness campaign.
The right message should be able to maximize the appeal of the topic and persuade the target group to take action. This will work especially well, if the message fits with the target group’s interests and needs. The message could and should be tailored to the knowledge or technical knowledge of the target group.
The message should be proactive and consistent. It should also be concise, clear and easy to read. Any message as part of an awareness raising initiative should state the risk and threats facing the users, why it is relevant to them, what to do and not to do and how to stay protected.
Ultimately, you are looking for a message that is compelling. To do this you will need to find creative ways to deliver the message so it is noticed. Having centralized and consistent themes, slogans and design is a way to make it compelling and aids in overall retention.
Published on September 21, 2009 by Karen Letain in News
Nobody really likes planning. However, the best way to ensure a successful training program, regardless of the type of training, is to make sure that all the stakeholders in the process adhere to a training plan. In order to make it easier, we have a suggested format for you:
1. Person(s)/Team Writing Plan
2. Sponsors of Plan (could be Executive, Administrative, both or Other)
3. Person(s)/Team Responsible for Execution/Implementation of Plan (Outline Responsibility and Role of each person listed)
4. Key Departments/Staff involved or affected by Plan
5. Background (outline the reason why the training requirement arose, factors influencing the proposed training)
6. Business Requirement
7. Mission/Values/Purpose/Goals for the Plan
8. Scope of Plan
9. Length of Plan
10. Assessment (Provide a brief description of the assessment method used and attach sample assessment methodology)
I would also suggest developing a Training Matrix. This could be done in a table format and should include: training topic, competency addressed, suggested target audience, course name, delivery method and availability as well as priority. The matrix will help to clearly outline the requirements of the training and timelines and keep all stakeholders and developers on task and on target.
Published on September 12, 2009 by Karen Letain in News
Maximizing what little security budget is left isn't easy but it is possible. Despite the recession, businesses are still investing in security. But, what if your company isn't? There are ways to maximize the security budget you do have and actually increase your security posture. A simple approach can be extremely effective. Here are some recommendations:
1. Review existing security tools and augment with open source
Supplementing your existing IT Security infrastructure can be done via a myriad of open source tools that are extremely affordable. Review the tools you do have and supplement with open source or look at tweaking your current one's by contacting the vendor and seeing if there are any tweaks or scripts that can be written for a small professional services fee.
2. Keep training your staff
ALL employees need constant training. Review your existing training strategies and increase sessions or add free training tools and resources to your existing repetoire to "freshen" the content. Their are a "ton" of free resources out there. Microsoft has a great free security awareness tool kit you can use that contains all types of slogans, newsletter templates, etc...http://technet.microsoft.com/en-us/security/cc165442.aspx
3. Increase security awareness
If your staff are trained and aware of potential risks and threats your ability to avoid security breaches is increased exponentially. Regular training, education and continuous communication and marketing techniques,can condition employees to be paranoid of e-mail attachments and URLs sent by strangers, or to be more cognizant of any potential inside employee issues.
Published on September 03, 2009 by Karen Letain in News
Is there really an answer to this? Does it not depend upon the product and the individual learner?
Quite likely, the only real answer to this question is to determine the amount of training that is necessary by reviewing the corporate security policies and determining what is critical from a security perspective and what is not. Typical physical security training is about a minimum of 40 hours of training per core competency. This however, could be overkill if the individual's role is not that of a physical security officer, but instead is a program or project manager with no responsibility for security within the organization.
The amount of training is typically related to the type of task being performed. With security awareness that is difficult to quantify unless you look at what is critical from a security perspective based on the individual's job role in the organization. Ultimately, security awareness training should be based on the role the individual learner has in the organization and what potential risks/threats that person might encounter. Basing training on the individual's role is a much more precise way to develop effective security awareness training.
