Regulatory compliance and the rise in data breaches have made security awareness training a necessary program for companies.
The Sarbanes-Oxley and Health Insurance Portability and Accountability acts mandate security awareness training for compliance. This mandate extends to contractors, vendors and others -- such as small and medium-sized businesses (SMBs) -- who provide services to the regulated. It's a good idea, in any case, to educate employees about computer security hygiene. It can help protect the intellectual assets of a company, the loss of which could be especially lethal to an SMB without resources to protect itself. However, unlike the regulated companies they may serve, SMBs don't have lavish budgets and staff for dedicated training departments.
Areas of focus
There are two things an SMB should keep in mind for its security awareness program. First, it should teach a consistent security message to the entire company. SMBs are too small to have multiple training programs with different slants. And it should be managed by your IT department.
No matter what you focus on, the following are the bare minimum that should be in any program:
Employees should be taught about the safe handling of these. Some examples include how to pick a strong password, not writing down passwords or putting them on sticky notes attached to monitors, and not sharing them with anybody, including the help desk.
Users need to be taught to be wary of email attachments, particularly if from an unknown sender. Teach users how such attachments could contain viruses, Trojans or other malware that could harm the company. In addition, users need to be aware of company policies about safe Web browsing and acceptable Internet use. Web access from the office is for business purposes only. Pornography and gambling sites, besides opening the company to legal liability, are vectors for malware. This needs to be explained to employees in terms they understand.
Teach road warriors who live on their laptops how to keep their machines from being stolen when they travel. Teach them to be careful when logging in at airports and other public places to prevent shoulder surfers from stealing their user IDs and passwords. Employees also need to be taught about the threats posed by USB keys and wireless access points in the office. They should be told these devices may not be allowed at work.
Employees who deal with the public are susceptible to con artists who may try to sweet-talk them into providing company information or user IDs and passwords to access confidential systems and data. Teach employees the basic tricks of the trade so they won't be fooled.
If an employee sees something suspicious or thinks a breach may have occurred, teach them about procedures for reporting incidents. They should be told who to contact and how.
The National Institute of Standards and Technology (NIST) has an excellent publication, SP 800-50, with templates and guides for what should go into a security awareness training program. The 70-page document is available for free in PDF format from the institute's Web site.
In, out or Web?
Traditionally, there have been three ways to set up a security awareness program: turn to in-house staff members or a training department, hire an outside training company, or use Web-based or computer-based training courses. All three options can be costly and use resources SMBs don't have.
So, what alternatives are there for an SMB wanting to bring its staff up-to-snuff on information security? There are two options, which are a slight variation of the three traditional approaches. An SMB can still use in-house resources, depending on the scope of the training, or purchase a Web-based or computer-based training program. In addition, SMBs can also be creative, putting up colorful and inexpensive security awareness posters around the office as a gentle reminder.
If your IT department can spare one or two people to assemble a training program, a tailor-made in-house program might be the way to go. A one-day or even a half-day class assembled around the NIST guidelines, or other materials, should be sufficient to cover the key points employees need to know about computer security.
For Web-based and computer-based training, there are a number of reasonably priced alternatives targeting the SMB.
An interesting package of training products comes from Native Intelligence Inc. in Glenelg, Md. The company offers Web-based training, newsletters and clever posters with security tips. All the materials can be customized and branded with your company's logo. Native Intelligence also updates its materials regularly. The programs keep track of who completed the courses, useful for certifying for compliance that everybody in the company, in fact, took the required security training.
Similar Web-based training is offered by UK-based Easy i Inc., which customizes training to suit individual company needs. It also offers off-the-shelf products. The Security Awareness Co. has Web-based training, videos, live instructors and role-playing and simulation games.
The most novel approach is from National Security Institute's SECURITYsense, which delivers security messages in HTML-based email newsletters and pop-up windows directly to employee desktops. It bills itself as the low-cost alternative at $995 per year for 5,000 employees.
Whichever program you choose, make sure it meets your compliance requirements and can verify, for auditors and regulators, who took and completed the courses. With these approaches, an SMB can easily meet compliance standards for security awareness training.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He also runs The IT Security Guy blog at http://www.theitsecurityguy.com.