In many cases, security awareness programs fail because they are not tied to the overall company-wide security policies. In some cases, security policies and therefore security awareness training is not given the proper attention and buy-in required by key stakeholders within the company.
According to a report from Criminal Intelligence Service Canada released Friday, August 20, 26 per cent of Canadians said they'd been approached with a fraud scheme some time last year. That's up from 17 per cent in 2007 and 14 per cent in 2006.
That could mean that fraudsters, with access to social media such as Facebook, are launching more schemes. According to the report, "Securities fraud is becoming increasingly sophisticated,. "Online social networking sites provide fraudsters new fora."
The report said more people admit they've been repeatedly victimized by fraud and the losses incurred by fraud victims have increased. In 2006, only 32 per cent of victims said they'd invested more than $5,000 in a fraudulent scheme. By last year, that figure had grown to 38 per cent. Seventy per cent of fraud victims never get any of their money back. More than ever there is a need for awareness in this area.
Summer is a great time to take stock of your current awareness program. Review the past year's program and run it through a thorough analysis. Was it relevant to the users? Was the content refreshed with updated security best practices? Is it time to run a quiz and test the current users knowledge base? Perhaps you need to add some videos to the existing program
?
Perhaps it is time to start from scratch and look at a program re-design or a different approach to refresh and revitalize the training program. We recommend looking at new and innovative ways of communicating with your end users. Try getting them involved by running a poster design contest that they can even enroll their kids in with some great prizes and use the posters to really get them involved in the campaign itself. Use large plackards with key anecdotes placed strategically around the building - ie., every minute there are approximately 29 victims of identity theft to increase awareness.
What are you doing to refresh your program this year?
When you get it wrong, the signs are painfully clear, but the reasons may not always be obvious. Making that all-important connection with your learners does not happen by accident. When you are putting together a security awareness training solution you need to make it not only interesting but RELEVANT.
If the learner already has knowledge on security topics/issues, why do they then need additional training on the areas they already understand? The mistake often made is that content is developed from the assumption that the learner knows very little and therefore needs to drink from the proverbial "fire hose". This does not have to be the case. Constructing a well thought out quiz delivered prior to content or training to be developed or delivered can eliminate repetitive, boring content that has already been adopted by the learner. A quiz can act as a baseline, identifying gaps in the overall knowledge of the learners. Focus can then be spent on either developing content in the areas of weakness or looking for supplemental online content or reinforcement tools to address the gap. The quiz can then be run again after the training to determine whether or not the learning content was absorbed.
I always love seeing blog entries that contain great resource references. So, I thought I would start one! Here is the start of a list that I decided to start compiling of some really good blogs that contain a ton of resources, tips, tricks and more links. Feel like sharing yours and growing the list?
Corporate eLearning Strategies and Development
Custom Training and eLearning Blog
An ideal way to engage learners is through video. As an example of the popularity of video you only need look as far as the website YouTube, which currently has 15 hours of footage uploaded to it by users every minute. Digital technology whether it is mobile, video or computer games has fundamentally reshaped the way most of us connect with, make sense of and engage with society.
We need to understand that most of the younger generation will expect an entirely new type of relationship with the world around them that does not rely on accessing information but on creating new knowledge, resources and products. While core basic skills remain vital, new developments and the increasingly collaborative nature of learning will challenge our existing educational infrastructure.
e-Learning guru Lord Puttman stated that "only by engaging with these new and at times intimidating challenges for the process of teaching and learning - almost all of which are facilitated by digital technology - will we produce a generation of creative learners with a breadth and a depth of understanding capable of dealing with this new incredibly difficult century”. As part of his call for a rethink of traditional educational models Puttnam has made a film entitled We Are The People. It is available free from www.wearethepeoplemovie.com
eLearning plays an extremely important role in terms of sustainability. For those organizations looking to be more sustainable and save costs in the process, eLearning is the best way to improve and expand employee skill sets without having to incur additional travelling costs.
eLearning helps organizations expand training opportunities to more employees in more places. It’s available on-demand, providing instant learning at a moment’s notice. For organization’s looking to impart new security policies to their staff and educate them on new best practices, eLearning is the most efficient and cost-effective method of deployment.
A recent article in Frobes on Women Gaming made some interesting links to not only gender based learning but also how we learn and develop skills as individuals. http://www.forbes.com/2010/03/25/women-gaming-video-forbes-woman-time-online.html
The concept of gaming is becoming more accepted in business where it functions as a superb training and operations tool. Videogames are now being used for collaboration and brainstorming as well as performance evaluation. Games based learning is proving to be the new learning tool of the future and it is definitely growing.
Games Based Learning also referred to as "Serious Game" is all about leveraging the power of computer gaiming to captivate and engage end users to develop new knowledge and skills. This type of learning enables users to undertake tasks and experience situations that may be too costly or otherwise impossible.
Although many of the concepts included in end user security awareness training are universal, such training often must be tailored to address the policies and requirements of a particular organization. In addition, many forms of training fail because they are rote and do not require users to think about and apply security concepts. A flexible, highly interactive video game, can support organizational security training objectives while engaging typical users in an engaging security adventure.
However, there are problems with deploying games-based learning for organizations. First, it is difficult to find a generic end-user interactive gaming software for security awareness. Second, the cost of creating such a game internally can be quite high and Third, maintaining and updating the content can be time-consuming and costly.
Provisions in the federal stimulus package have tightened HIPAA notification and enforcement regulations and have made HIPAA violations more costly. For example, the maximum civil penalty from the Dept. of Health and Human Services for a data breach occurring after Feb. 18, 2009, rose from $25,000 to $1.5 million.
Security experts recommend that the data is secured and encrypted making it next to impossible for anyone who happens to find it. More importantly, users of corporate mobile devices need to be educated on the responsibility and security of the devices provided by the organization and the organization's policy on using the devices. Security awareness of the risks inherent in using mobile devices is essential and should be part of a consistent security awareness program.
The Computer Security Institute (CSI) released the 14th edition of its annual CSI Computer Crime and Security Survey in December 2009. Insight was gathered from 443 US-based respondents across both public and private sectors.
While respondents indicated they were not extremely happy about any of the technologies being currently used, they did feel that there is still a lack of a comprehensive solution for monitoring and measuring what is going on.
Respondents also expressed even greater concern over a perceived lack of proper security awareness training for users at endpoints. An amazing 43.4 percent of them said that less than 1 percent of their security budget was allocated to awareness training, and 55 percent said current investments in this area were inadequate.
Twenty-five percent of respondents said more than 60 percent of financial losses came from accidental breaches by insiders, not external hacks, and 16.1 percent said 81 to 100 percent of all losses came from accidental breaches as well.
TerraNova Security Awareness © 2008
