Internet Security Awareness Training
Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training.
Even small and medium enterprises are generally recommended to provide such training, but organizations that need to comply with government regulations (i.e. GLBA, PCI, HIPAA, Sarbox) normally require formal ISAT for annually for all employees.[1] Often such training is provided in the form of online courses.
Coverage
Topics covered in ISAT include:
- Appropriate methods for protecting sensitive information on personal computer systems, including password policy
- Various computer security concerns, including spam, malware, phishing, social engineering, etc.
- Consequences of failure to properly protect information, including potential job loss, economic consequences to the firm, damage to individuals whose private records are divulged, and possible civil and criminal law penalties.
Being Internet Security Aware means you understand that there are people actively trying to steal data that is stored within your organization's computers. (This often focuses on user names and passwords, so that criminal elements can ultimately get access to bank accounts and other high-value IT assets.) That is why it is important to protect the assets of the organization and stop that from happening.[2]
According to Microsoft,
- End User Internet Security Awareness Training resides in the Policies, Procedures, and Awareness layer of the Defense in Depth security model.
- User security awareness can affect every aspect of an organization’s security profile.
- End User Security awareness is a significant part of a comprehensive security profile because many attack types rely on human intervention (Social Engineering) to succeed.
The focus of ISAT is to achieve an immediate and lasting change in the attitude of employees towards Internet Security, making it clear that security policies and Acceptable Use policies are vital for the survival of the organization, and not as rules that restrict the employee being efficient at work.
Security awareness training for employees is one of the most effective means of reducing the potential for costly errors in handling sensitive information and protecting company information systems. Training can be conducted through a number of means and certain approaches are more effective than others:
- The Do-Nothing Approach: The organization conducts no security awareness training and relies on automated systems to protect against phishing and malware.
- The Breakroom Approach: Employees are gathered during lunches or meetings and are told what to look out for in emails, web surfing, etc.
- The Monthly Security Video Approach: Employees are shown short videos that explain how to keep the organization safe and secure.
- The Phishing Test Approach: Certain employees are pre-selected and sent simulated phishing attacks, IT determines whether they fell prey to the attack, and those employees get remedial training.
- The Human Firewall Approach: Everyone in the organization is tested, the percentage of employees who are prone to phishing attacks is determined, and then everyone is trained on major attack vectors. Simulated phishing attacks are sent to all employees on a regular basis.
Security awareness training can ensure personnel have a solid understanding of their employer’s security practices and policies. In contrast, an uninformed employee is susceptible to malware, phishing attacks, and other forms of social engineering. They can do substantial harm to an organization’s systems and place its data at risk.
Key aspects of any awareness training program generally include the following:
- Train on an ongoing basis. Avoid limiting training to when an employee is first hired or assigned to a new role in the organization.
- Train creatively, not just in a non-interactive class-room setting.
- Look for means to introduce interactivity into the training process.
- Have a means of measuring progress and Phish-prone percentage of employees.
See also
References
- "Information Security Awareness Training (ISAT)". University of Virginia. Retrieved 4 November 2019.
- Sharf, Elad (July 2016). "Information exchanges: regulatory changes to the cyber-security industry after Brexit: Making security awareness training work". In Computer Fraud & Security. 7: 9–12.