How Is Your Security Training?

A good article in CSO Online asks if security training is effective, given that even the experts can be lazy with passwords, and fall victim to phishing attacks. However, the conclusion is straightforward: security training does lead to positive results, if you do it properly.

When rolling out training, it is vital to be realistic about the expectations placed on staff. Do not take a busy person away from their work for half a day, try to cram their head full of information which may or may not be relevant to them, and then ignore them for years afterwards. A recurring drip-drip of information and advice, perhaps made mandatory through the completion of little quarterly online compliance quizzes, is more effective than the occasional deluge of instructions extracted from a tediously-written corporate security policy.

Fraud managers should team up with security functions to ensure training helps them both. Fraudsters use techniques like social engineering and phishing in order to gain unauthorized access to systems, or to persuade customer services representatives to volunteer information that will compromise the identity of a genuine account holder. The potential training synergies are obvious. And when we talk about fraud management, it is vital to use preventative techniques, including the training of staff, to avoid becoming over reliant on data-oriented detective controls.

It occurs to me that business assurance conferences rarely talk about training programs, or the ways to measure their effectiveness. Per the CSO Online article, even the least effective anti-phishing training program will deliver a seven-fold return on investment. That is the kind of business benefit we should talk about more often.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.   Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.   Commsrisk is edited by Eric. Look here for more about Eric's history as editor.