Control 17.3: Implement a Security Awareness Program

Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization’s security awareness program should be communicated in a continuous and engaging manner.

Category

Procedural

Purpose

Employees are the first line of defense in any good security program. In some sense, the phrase “you are only as strong as your weakest link” is very true in security. Sometimes all it takes is one employee to unknowingly install a malicious program on their computer to lead to a security breach. This is why it is important that all employees know practice a basic awareness of how to keep themselves and the company secure. This starts with a security awareness program.

Many of the top security threats taking advantage of the human factor of security. These include social engineering type attacks such as phishing, spear phishing, vishing, pretexting, baiting, and others. Many threats take advantage of human tendency or emotion. They look to trick employees who are not paying attention to detail or who get caught believing an emotional story.

Automation

There are third-party training platforms available which can reduce the overhead of implementing a security awareness program. Third-party training platforms are engaging and up-to-date but may be too costly for small organizations.

Guidance and Tools

A good security awareness program is more than just an onboarding program or annual training. The U.S. Department of Health and Human Services (HHS) provides material for cybersecurity awareness training. The Multi-State Information Sharing and Analysis Center (MS-ISAC) has a monthly security newsletter that people can subscribe for a free monthly newsletter targeted at end users (https://learn.cisecurity.org/ms-isac-subscription). Here are some key components of a good security awareness program:

  • Acceptable use policy: This policy should be in place to lay out the expectations an organization has around its security. This should explain to the employee that they have responsibilities for security in their everyday work.
  • New employee onboarding training: New employees need to know organizational expectations for security. This training can be formal training provided by third-parties, or may be informal training provided by their supervisor.
  • Management awareness: Employees need to hear and feel that management takes security seriously and is counting on them to do their part. This can be accomplished by dedicating a moment to security in corporate wide meetings or announcements.
  • Posters and spotlights: Hanging security awareness posted, like those from SANS (https://www.sans.org/security-resources/posters), or sending out Security Spotlight emails on a regular basis are a good way to continually emphasis security to employees.
  • Annual refresher training: Employees should be asked to go through a security awareness refresher once a year.