Unawares (adv.: without being aware of a situation)
I think every organization needs some sort of cyber security awareness program. There, I said it. I know some folks don’t think they help, but even if they help a little bit they are a valuable part of an organization’s overall cyber security strategy. Besides, you can’t expect people do to things you’ve never told them how to do, and you can’t expect them to be concerned about cyber security unless they understand the issues at least a little bit.
The popular press loves to run stories on cyber security, The recent Heartbleed and Internet Explorer bugs seemed to get a lot of press. Unfortunately, a lot of people these days don’t watch much television news, read the newspaper (OK, I don’t do that either very often), or even follow news on the web. I’m not sure how they keep up, but they might go on blissfully unaware of major cyber security issues (unless they read this blog…)
To be honest, I thought all companies of any size over about ten employees has some kind of security awareness program. But a study by Enterprise Management Associates paints a different picture. In that study they report that 56% of employees have not received any security awareness training (except security and IT staff). As you might expect, smaller companies do less compliance training, and larger companies have a higher percentage of people who receive the awareness training.
The study goes on to report a roughly even split between companies that have a single annual training event and those that do several sessions with less material. I cannot help but believe that the shorter sessions have greater retention, but I also understand that one session is better than none. About half of the training is online, according to the study. I’m a big proponent of online training, but I believe that in cases such as this virtual instructor-led training (sometimes called VILT) is important because it helps ensure learner understanding and it provides the opportunity for participant questions. When we do Course 468, System and Network Security Introduction at Learning Tree, the class is a hybrid of live, instructor-led and VILT. This means that you can attend from anywhere (that’s why it’s called AnyWare) and not have to pay for travel expenses if you don’t live near a Learning Tree education center.
People need to know how to protect themselves and their organizations. If nobody tells them how and why, it seems unlikely that very many will go out and figure it out for themselves. You can start with Course 468, System and Network Security Introduction and develop your own awareness program, or ask Learning Tree to do it for you. To supplement this, we have also recently introduced a new course – Social Engineering Deceptions and Defenses – that provides the skills to defend against social engineering attacks that threaten organizational security. Please, do something, update it regularly and help your people do the right thing.
To your safe computing,