• Choose a category
• All
• Classic-Fiction

Employees must come to appreciate and accept that the threat of social engineering attacks is real, and that a serious loss of sensitive corporate information could endanger the company as well as their own personal information and jobs. In a sense, being careless about information security at work is equivalent to being careless with one’s ATM PIN or credit card number. This can be a compelling analogy for building enthusiasm for security practices.

Establishing the Training and Awareness Program

The person responsible for designing the information security program needs to recognize that this is not a one-size-fits-all project. Rather, the training needs to be developed to suit the specific requirements of several different groups within the enterprise. While many of the security policies outlined in Chapter 16 apply to all employees across the board, many others are unique. At a minimum, most companies will need training programs tailored to these distinct groups: managers; IT personnel; computer users; nontechnical personnel; administrative assistants; receptionists; and security guards. (See the breakdown of policies by job assignment in Chapter 16.)

Since the personnel of a company’s industrial security force are not ordinarily expected to be computer proficient, and, except perhaps in a very limited way, do not come into contact with company computers, they are not usually considered when designing training of this kind. However, social engineers can deceive security guards or others into allowing them into a building or office, or into performing an action that results in a computer intrusion. While members of the guard force certainly don’t need the full training of personnel who operate or use computers, nonetheless they must not be overlooked in the security awareness program.

Within the corporate world there are probably few subjects about which all employees need to be educated that are simultaneously as important and as inherently dull as security. The best designed information security training programs must both inform and capture the attention and enthusiasm of the learners.

The aim should be to make security information awareness and training an engaging and interactive experience. Techniques could include demonstrating social engineering methods through role-playing; reviewing media reports of recent attacks on other less fortunate businesses and discussing the ways the companies could have prevented the loss; or showing a security video that’s entertaining and educational at the same time. There are several security awareness companies that market videos and related materials.

note

For those businesses that do not have the resources to develop a program in-house, there are several training companies that offer security awareness training services. Trade shows such as Secure World Expo (www.secureworldexpo.com) are gathering places for these companies.

The stories in this book provide plenty of material to explain the methods and tactics of social engineering, to raise awareness of the threat, and to demonstrate the vulnerabilities in human behavior. Consider using their scenarios as a basis for role-playing activities. The stories also offer colorful opportunities for lively discussion on how the victims could have responded differently to prevent the attacks from being successful.

A skillful course developer and skillful trainers will find plenty of challenges, but also plenty of opportunities, for keeping the classroom time lively, and, in the process, motivate people to become part of the solution.

Structure of the Training

A basic security awareness training program should be developed that all employees are required to attend. New employees should be required to attend the training as part of their initial indoctrination. I recommend that no employee be provided computer access until he has attended a basic security awareness session.

For this initial awareness and training, I suggest a session focused enough to hold