Here are the lines of defense in your organization:
- The 1st Line: Controls – how you enforce security best practices and prevent successful compromise.
- The 2nd Line: Detection – how you catch attacks or attempted breaches, or how you know whether your controls are working.
- The 3rd Line: Employees – how aware they are of security and what they are doing to avoid being a weak link.
A good security awareness program should arm your third line of defense by educating them about the first and second lines and giving them the tools they need to do the right thing day in and day out. Through this, you can ensure that everyone at your organization acknowledges security along with an appropriate sense of responsibility. A security awareness program should have 4 Cs:
Communication: Security should be emphasized regularly by upper management, and become an essential part of the conversation with all employees. The ways to communicate with all employees include company-wide emails, presentations, brown-bag lunches, or some combination of the above. It is important to make sure that communication is clear, regular, relevant, and interactive.
Checklist: Checklists are needed for making sure the security awareness practices are being spread actively throughout your organization in a systematic manner. With the checklists, your company can stay organized when it comes to developing, delivering, and maintaining a security awareness program. Information in the checklist could include:
- What to do when a new hire starts and when an employee leaves
- When and how often to remind employees of security protocols
- What to do when an incident takes place
- How to communicate with customers or partners in the event of a breach
Content: Contents for training and communicating about security with employees are important as your employees can refer to when needed. No matter how your organization structured or managed, and what your organization expects for the security, the contents should include:
- A security handbook
- Role-based guidelines
- Training programs
- A special chat channel for reporting suspected security issues and getting feedback on any questions employees might have
Controls: Even though your security awareness program is good enough, your organizations are not 100% guaranteed to avoid all the security issues. In this case, controls are the guardrails to ensure that people and systems are only able to do what their roles dictate and only with the appropriate approval.
When is the time to conduct security training? There are at least 3 times that organizations should keep in mind:
- When employees join the team
- After an incident occurs
- At regular intervals throughout the year
Onboarding: When new people join your team, this is definitely the time that you need to provide them a security awareness training, which includes how your organization handles security. It will be more effective if the security training is customized based on not only the general policies but also these new people’s corresponding role-specific information.
Post-Incident: The second time to conduct security training is after an incident exists. It is important to analyze an actual issue that arose and show how it can be avoided in the future. By informing your employees about the incident in a manner that is both legal and appropriate for the given circumstances, they can avoid being trapped by the same ore similar ones in the future.
Ongoing: Other than the two circumstances mentioned above, security training should be offered as an ongoing training program hosted regularly. The content of the training should be updated frequently based on the arrivals of new threats and the development of your organization. Since security awareness training is not a one-and-done activity, it is necessary to make it become part of the organizational culture.
Contact LIFARS Immediately for