A good article in CSO Online asks if security training is effective, given that even the experts can be lazy with passwords, and fall victim to phishing attacks. However, the conclusion is straightforward: security training does lead to positive results, if you do it properly.
When rolling out training, it is vital to be realistic about the expectations placed on staff. Do not take a busy person away from their work for half a day, try to cram their head full of information which may or may not be relevant to them, and then ignore them for years afterwards. A recurring drip-drip of information and advice, perhaps made mandatory through the completion of little quarterly online compliance quizzes, is more effective than the occasional deluge of instructions extracted from a tediously-written corporate security policy.
Fraud managers should team up with security functions to ensure training helps them both. Fraudsters use techniques like social engineering and phishing in order to gain unauthorized access to systems, or to persuade customer services representatives to volunteer information that will compromise the identity of a genuine account holder. The potential training synergies are obvious. And when we talk about fraud management, it is vital to use preventative techniques, including the training of staff, to avoid becoming over reliant on data-oriented detective controls.
It occurs to me that business assurance conferences rarely talk about training programs, or the ways to measure their effectiveness. Per the CSO Online article, even the least effective anti-phishing training program will deliver a seven-fold return on investment. That is the kind of business benefit we should talk about more often.
