Pub. 8 2013-2014 Issue 4

www.nebankers.org 16 Extraordinary Service for Extraordinary Members. Simple Tactics for Security Awareness Training Leticia Saiid , CoNetrix S ecurity awareness training: Do you cringe a little when you hear the term? You may not want to rely on a bare mini- mum program, but sometimes it may be the only option as you deal with time constraints, employee availability, and lack of interest. Training can be a frus- trating situation for both the trainer and the trainee. Employees can be the most powerful security layer in your informa- tion security program and, by the same measure, the greatest weakness. Their ability to “sense” when something’s not right is what can make them your most effective security control. One way you can utilize this super- security power, which only humans possess, is to pump up your security awareness program. Consider this great training tip. One of my coworkers per- forms social engineering tests as part of our penetration testing for customers. clips, etcetera. We ended up purchasing cases of sticky notes with the phrase “Do not write your password here.” It may seem like a no-brainer, but it’s a strong deterrent to keep employees fromwrit- ing their passwords on a sticky note. Good educators know one of the best methods for a student to truly learn a concept is for them to take ownership of the information and feel they need to teach it themselves. Students not only need to feel they’ve mastered a concept, but also must believe it provides value for their life. To instill ownership of se- curity awareness in your employees, you must make the information valuable to them on as many levels as possible. They need to see that security aware- ness not only protects the company, it also protects them personally. One great topic for work and home security is passwords. The sheer volume of our passwords alone is a reason for concern. Teach employees the value of password management applications, like Secret Server, LastPass, or Password Safe. Another way to instill ownership is to focus your content departmentally. If you can get buy-in from department heads, getting the attention of their employees is much easier. As you continually educate your users, keep it simple and focus on one topic at a time. Whatever you do, re- member everyone likes a good story. A great communication tool is to share recent security “horror stories.” Those do a great job of hitting home for users. In order for your users to take own- ership in protecting information and defending it from unauthorized access, use, disclosure, perusal, or destruction, you have to help them see the relevance and value, and do so in a way they can enjoy and understand.  tech talk Leticia Saiid is a tandem software support specialist for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and tandem—a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Learn more at www.conetrix.com . It’s interesting to listen to his side of the phone call as he kindly explains the reason he’s calling and asks for a couple simple clicks “here and there,” “thank you for your time,” and then it’s over. It is so easy and pleasant. This is a tactic that attackers use, and I think we all could take a tip from it. That’s what you want for your security awareness training—to both seem and be simple, interesting, and valuable for your users. Here are a couplemethods to helpmove in that direction. Visual reminders are an easy way to provide continuous security aware- ness. Place an interesting poster or article in the break room, or anywhere employees frequent. Sendmonthly “tips and tricks” emails. A monthly email is a great way to keep things simple, yet continuous. Design some swag. A few years back our company was in the market for some new swag: pens, chip