- Blog
- Security Awareness
Security Awareness
Published on April 04, 2010 by Karen Letain in Courses, News
A recent article in Frobes on Women Gaming made some interesting links to not only gender based learning but also how we learn and develop skills as individuals. http://www.forbes.com/2010/03/25/women-gaming-video-forbes-woman-time-online.html
The concept of gaming is becoming more accepted in business where it functions as a superb training and operations tool. Videogames are now being used for collaboration and brainstorming as well as performance evaluation. Games based learning is proving to be the new learning tool of the future and it is definitely growing.
Games Based Learning also referred to as "Serious Game" is all about leveraging the power of computer gaiming to captivate and engage end users to develop new knowledge and skills. This type of learning enables users to undertake tasks and experience situations that may be too costly or otherwise impossible.
Although many of the concepts included in end user security awareness training are universal, such training often must be tailored to address the policies and requirements of a particular organization. In addition, many forms of training fail because they are rote and do not require users to think about and apply security concepts. A flexible, highly interactive video game, can support organizational security training objectives while engaging typical users in an engaging security adventure.
However, there are problems with deploying games-based learning for organizations. First, it is difficult to find a generic end-user interactive gaming software for security awareness. Second, the cost of creating such a game internally can be quite high and Third, maintaining and updating the content can be time-consuming and costly.
Published on March 13, 2010 by Karen Letain in News
According to American Medical News in the February 22 edition of their newspaper, one-third of health professionals store patient data on laptops, smartphones and USB memory sticks and only 39% of health care organizations encrypt data on mobile devices.
Provisions in the federal stimulus package have tightened HIPAA notification and enforcement regulations and have made HIPAA violations more costly. For example, the maximum civil penalty from the Dept. of Health and Human Services for a data breach occurring after Feb. 18, 2009, rose from $25,000 to $1.5 million.
Security experts recommend that the data is secured and encrypted making it next to impossible for anyone who happens to find it. More importantly, users of corporate mobile devices need to be educated on the responsibility and security of the devices provided by the organization and the organization's policy on using the devices. Security awareness of the risks inherent in using mobile devices is essential and should be part of a consistent security awareness program.
Published on February 15, 2010 by Karen Letain in Marketing and Communications, Planning
To win the gold...a corporate security awareness program aims to make all the employees understand and appreciate not only the value of the company's information assets but also the consequences in case these assets are compromised. In theory, the process is straightforward and painless. But as every IT/security manager knows, in real life, an awareness program can be a huge headache - especially in a large enterprise.
How do you plan correctly when implementing a security awareness program? How do you determine what tools will be effective in your organization? And...how do you create a winning program that wins a gold in terms of making everyone aware?
A couple of simple rules:
1. Do the training yourself - ensure that you do your research. Understand how employees use the syetms and for hat purposes, who has access to what and why? Understand the dynamics of your organization. Be well versed on the policies, goals and initiatives within your organization that might impact the program.
2. Get executive buy-in - without the right buy-in you will not succeed...period.
3. Create a focus group - get individuals from each department involved in the process so they can help you to build the right messaging and communicate effectively to the different groups within the organization.
4. Communicate, communicate, communicate again - use different techniques to get the message across. Be succinct and clear in all communications used and ensure that a regular frequency is maintained throughout the year.
5. Above all...make it FUN! In general, people are frightened about security breaches and risks. Try to remove the scary aspect by getting them involved.
6. Lead by example. Act swiftly and communicate rapidly if a security incident occurs. Ensure you are adhering to the policies within the organization and take every opportunity to communicate and reinforce the awareness message.
We would welcome your input into this conversation. Let us know what methods you have used to get that additional "edge" to create a wining program.
Published on December 14, 2009 by Karen Letain in Planning, Reinforcement Tools
I purchased a new pair of runners for my 7 year old and these had laces. I had taught him to tie his shoes in Kindergarten but with most of the shoes and boots having velcro, I did not realize that the lesson taught in Kindergarten did not stick. I was both shocked and dismayed to realize that my Grade 2 child did not know how to tie his shoes! As a parent I also had that wonderful "guilt" feeling that goes along with realizing that I probably didn't do a very good job initially as I was in a rush (as always) and should have probably spent more time having him practice so that he retained the knowledge. I also should have bought him more shoes with laces!
So...how does this relate to security awareness? Like any type of training or learning, if a person does not practice what has been learned it does not get retained. Security awareness is even more difficult since we are ultimately trying to change behavior. Individuals are already set in their ways of performing various job tasks throughout the day. Security awareness is about changing the way in which those tasks are performed. Teaching a security awareness class once a year and providing no other reinforcement or communication on the subject will not sufficiently change behavior of your end users.
Not putting aside enough time as an educator to ensure that your security awareness program is planned and supported properly will lead to additional stress, guilt and ultimately to the failure of the awareness program.
So...what do we do? We must ensure that awareness is done in small bite sized amounts that are easily digestible and then follow up with reinforcement tools or methods - ie., posters, newsletters, video clips, spot checks or walkabout reminders that catch people doing what was taught correctly or not correctly. Providing continuous training throughout the year will aid in retention. Providing rewards and or encouragement for the training being accomplished and for a change in behavior will provide you with a better and more widely accepted security awareness program.
Published on September 03, 2009 by Karen Letain in News
Is there really an answer to this? Does it not depend upon the product and the individual learner?
Quite likely, the only real answer to this question is to determine the amount of training that is necessary by reviewing the corporate security policies and determining what is critical from a security perspective and what is not. Typical physical security training is about a minimum of 40 hours of training per core competency. This however, could be overkill if the individual's role is not that of a physical security officer, but instead is a program or project manager with no responsibility for security within the organization.
The amount of training is typically related to the type of task being performed. With security awareness that is difficult to quantify unless you look at what is critical from a security perspective based on the individual's job role in the organization. Ultimately, security awareness training should be based on the role the individual learner has in the organization and what potential risks/threats that person might encounter. Basing training on the individual's role is a much more precise way to develop effective security awareness training.
Published on June 04, 2009 by Karen Letain in News
For anyone out there experimenting with Twitter, you are probably aware that with so few characters to use to tweet, you eventually need to look at using a Short URL service to direct your followers to what you want them to read or see.These Short URL services are great and guess what... they are free! This seems great until you start thinking about potential security risks. For companies with employees that are sneaking in a few tweets a day at work, those security issues could become a big problem.
Let's start by understanding that anyone following a Twitter account blindly, clicks on the Short URL without really knowing where they are being taken. In other words, they have no clue of where the destination page is actually going. Which means...an attacker can tweet that he is linking to a new picture of a rare white moose, but instead they are sending the user to a website hosting malicious content.
Organizations need to educate their employees not only on the policies and risks regarding using social media and the potential hazards of social engineering at work, but should also make them aware that they need to pay close attention when using social media sites at home.
Published on May 29, 2009 by Karen Letain in News
The business world is rapidly changing. The way we conduct business will continue to evolve. The younger workforce graduating will be accustomed to working on a contractual and evolving basis without having the regular work hours the past generation was used to or the loyalty to a company that past generations had.
Outsourcing and contract workers will become the norm as businesses adjust to the growing global demands of its clients and as new and changing skill sets are demanded and required to address their challenges.
These changes to our workforce mean an increased challenge to security awareness managers. Managers will need to be sure that this new and ever changing set of workers will be able to keep secure the intellectual property of the company. Security awareness training will not only need to become part of an organization’s orientation training practices but will become an essential requirement of those courses. Stringent adherence to corporate policies and testing on the knowledge of those policies will become increasingly more important for security managers.
