How Is Your Security Training?

A good article in CSO Online asks if security training is effective, given that even the experts can be lazy with passwords, and fall victim to phishing attacks. However, the conclusion is straightforward: security training does lead to positive results, if you do it properly.

When rolling out training, it is vital to be realistic about the expectations placed on staff. Do not take a busy person away from their work for half a day, try to cram their head full of information which may or may not be relevant to them, and then ignore them for years afterwards. A recurring drip-drip of information and advice, perhaps made mandatory through the completion of little quarterly online compliance quizzes, is more effective than the occasional deluge of instructions extracted from a tediously-written corporate security policy.

Fraud managers should team up with security functions to ensure training helps them both. Fraudsters use techniques like social engineering and phishing in order to gain unauthorized access to systems, or to persuade customer services representatives to volunteer information that will compromise the identity of a genuine account holder. The potential training synergies are obvious. And when we talk about fraud management, it is vital to use preventative techniques, including the training of staff, to avoid becoming over reliant on data-oriented detective controls.

It occurs to me that business assurance conferences rarely talk about training programs, or the ways to measure their effectiveness. Per the CSO Online article, even the least effective anti-phishing training program will deliver a seven-fold return on investment. That is the kind of business benefit we should talk about more often.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.