Analecta Cyber Company Blog: Putting Information Security on Everyone’s Mind

2018-08-14

Putting Information Security on Everyone’s Mind

Puting information security on everyone's mind - Analecta LLC graphic banner Employees are one of the biggest threats to your company’s information system security. This isn’t a matter of insider threats or malicious actions to sabotage the company; it’s from accidental, unrealized actions that occur on a daily basis:
  • Forgetting to lock their computer
  • Poor password management
  • Opening malicious email attachments
  • Downloading unauthorized software
These are all innocent mistakes that occur without basic information security training. Recurring training for employees on security best practices is the most effective approach for improving the front lines of your security.

Employee training - cybersecurity awareness training
Studies have shown that user behavior is a contributing factor in 70% to 95% of malware infections. Modifying risky behavior through consistent and thorough employee training can reduce these proportions by 45% to 70%.

What INFOSEC training should cover

 

Information Security (INFOSEC) training should be provided to all information system users in your company at least annually. This population of users includes employees, managers, executives,  contractors and subcontractors. Training should not be a one-time activity for new users - but a recurring annual requirement for using the company’s information systems. NIST recommends including practical exercises that simulate the following scenarios when conducting INFOSEC training:
  • what to do if an employee receives a threat
  • what to do if a system has been compromised/hacked
  • how to recognize and report a potential insider threat
  • what to do in the event of a company-wide cyber attack

INFOSEC for fun and profit! 


Empower your employees to prevent incidents from happening in the first place. Reduce downtime and increase profitability by building a workforce that is knowledgeable in information security and that is willing to put that knowledge to good use.

INFOSEC is not some faceless concept. Involve senior management in INFOSEC campaigns, and challenge them to demonstrate to the rest of the workforce that they understand that security is a priority at all levels. Visual aids are a great way to remind everyone about the importance of INFOSEC. Display posters around the office with essential points and see if fellow employees would like to be the face of INFOSEC. These posters will reinforce the INFOSEC concepts and keep the employees engaged.

Turning policy into something understandable and actionable


Best practices in INFOSEC training involve:
  • fostering a sense of buy-in across employees and management
  • using hands-on learning to demonstrate the practical application of INFOSEC
  • training that is enjoyable and engaging
  • keeping the content relevant to the company, customer base or business objectives
  • training smaller groups of employees and keep material relevant to their department or job duties
Do not wait until after a cybersecurity incident to train on INFOSEC. You run the risk of making those that were involved with the incident feel singled-out or cause them to be less engaged during the training. Take advantage of the opportunity to train your employees as soon as they join the organization and be sure to cover the common ways that hackers can attempt to access your company’s data. Prevent incidents from occurring with timely and engaging training.

This is your last change poster Phishing scam avoid the bait poster cyber smart lock - lock before you leave poster
INFOSEC posters are well known for turning a serious matter into something fun. More importantly, the message they convey becomes memorable and actionable for the reader.

Time for fun and games! 


Games have been shown to improve learning and retention - especially for material that may seem less relevant. Adding competition and scenario-based aspects to INFOSEC training is a great way to engage your employees and improve retention.

Gamification is the concept of applying elements of game-play to a task or instruction in order to improve engagement and learning. Use this technique to turn something less interesting into something positive with points and friendly competition. Some enterprises take their INFOSEC training to impressive heights, awarding gift cards, a day off or a preferred parking space for a week to get employees engaged. Hold the competition monthly and pit different departments against each other to see who is the most cybersecurity savvy. 

Simulated cyber attacks, like phishing attacks, bring a dose of reality to your training. Walk your employees through a realistic attack that encompasses the entire hacking process. They may not know what happens after they download that suspicious attachment or click on that malicious link.

Conduct INFOSEC training through a virtual environment online, especially if your organization is large or spread across a large geographic footprint. Offer rewards for simple yet effective INFOSEC behavior like changing passwords or flagging suspicious emails. This reinforces positive INFOSEC habits and encourages your employees to practice those good habits on a daily basis.

Analecta Cyber is guiding small and medium-sized businesses 


Analecta can shape information security training to fit the needs of your organization and identify solutions for any additional training gaps. If you are unsure of where to start or what to cover in your training, contact us at info@analecta-llc.com or visit our website and we would be glad to help.

Further Resources