Implementing a good security awareness program is not hard, if your company cares about security. If they don’t, well, you’ve got a big problem.
It doesn’t start with the auditable security program that most standards would have you set up. Quoting PCI-DSS testing procedures:
12.6.1.a Verify that the security awareness program provides multiple methods of communicating awareness and educating employees (for example, posters, letters, memos, web based training, meetings, and promotions).
12.6.1.b Verify that employees attend awareness training upon hire and at least annually.
12.6.2 Verify that the security awareness program requires employees to acknowledge (for example, in writing or electronically) at least annually that they have read and understand the company’s information security policy.
For many awareness programs, this is their beginning and end. An annual opportunity to force everyone in the business to listen to us pontificate on the importance of information security, and make them read the same slides we’ve shown them every year. Or, if you’ve needed to gain cost efficiencies, you’ve bought a CBT program that is lightly tailored for your business (and as a side benefit, your employees can have races to see how quickly they can click through the program).
But at least it’s auditor-friendly: you have a record that everyone attended, and you can make them acknowledge receipt of the policy that they are about to throw in the recycle bin. And you have to have an auditor friendly program, but it shouldn’t be all that you do.
I can tell you that, for our baseline, auditor-friendly security awareness program, over 98% of our employee base have reviewed and certified the requisite courseware in the last year; and that of the people who haven’t, the vast majority have either started work in the last two weeks (and thus are in a grace period), or are on an extended leave. It’s an automated system, which takes them to a single page. At the bottom of the page is the button they need to click to satisfy the annual requirement. No gimmicks, no trapping the user in a maze of clicky links. But on that page is a lot of information: why security is important to us; what additional training is available; links to our security policy (2 pages) and our security program (nearly 80 pages); and an explanation of the annual requirement. And we find that a large majority of our users take the time to read the supplemental training material.
But much more importantly, we weave security awareness into a lot of activities. Listen to our quarterly investor calls, and you’ll hear our executives mention the importance of security. Employees go to our all-hands meetings, and hear those same executives talk about security. The four adjectives we’ve often used to describe the company are “fast, reliable, scalable, and secure”. Social engineering attempts get broadcast to a mailing list (very entertaining reading for everyone answering a published telephone number). And that doesn’t count all of the organizations that interact with security as part of their routine.
And that’s really what security awareness is about: are your employees thinking about security when it’s actually relevant? If they are, you’ve succeeded. If they aren’t, no amount of self-enclosed “awareness training” is going to fix it. Except, of course, to let you check the box for your auditors.