In my 20+ years of working in IT Security I have seen great programs and completely non-existent programs. Most organizations I’ve worked for have yearly Ethics
Training but no end user/employee based IT Security training. Organizations understand damage to reputation and fines for ethics violations but are still ignorant to the real risk of damage to reputation or fines resulting from data breaches. Ethics training is as important and can go hand in hand with a robust IT Security awareness program.
1. Starting an awareness program without full executive/management buy-in.
a. New is change and change is
scary. If you have buy-in at a high level employees will have more confidence in the program.
b. Added bonus: higher visibility with D$cision Makers!
2. Start an Information Security Awareness training program just to check a box.
a. If your organization doesn’t take it seriously, your employees won’t either.
3. Start an Information Security Awareness training program with no budget.
a. An Information Security Awareness training program is risk mitigation.
b. Your CEO is averting or minimizing that horrible press release when your customer database is posted to PasteBin! This will make their lives easier.
c. Post-it note IT Security awareness “posters” by the coffee machine might work for an office with a few people, maybe.
4. Assume Information Technology or Information Security is solely responsible for data protection.
a. Every employee is entrusted with valuable data, everyone in the organization should protect it.
5. Inability for management or employees to understand the value of data they are entrusted with.
a. That new research and development into nanotechnology whatever is worth money, at least as much your company has spent in R&D.
6. Assume IT or IT Security personnel are trainers and can train employees.
a. These are IT/IT Security professionals, not Professional
b. If IT or IS must train employees, train the trainer must be funded for the program to be successful.
7. Pay an outside consulting firm to start an awareness program without actual knowledge of your business.
a. Knowing your business means you can observe how technology is utilized by business units.
8. Internally start an awareness program without asking the business units.
a. Same as #6. Get to know your business units higher risk targets, such as the personal assistants to a upper management or C level executives are also targets.
9. Assume a logon splash screen: “Use this computer or network for business only!” constitutes a proper Information Security Awareness training program.
a. How many people actually read those warnings on a regular basis? I log in before coffee so I know I don’t.
10. Enforce usage guidelines without a complementary Information Security Awareness training program.
a. “You are being written up for X“, say HR. “But I didn’t even know X was wrong to do?!” says employee. Otherwise known as: don’t hit people with a big stick if they don’t know what they did wrong.