We all are focusing on the wrong things. If we look at the fundamental shift in the security paradigm over the past five years, we can’t ignore the fact that traditional network boundaries are erased, while inherent trust from social media drives many of our decisions. Protection is no longer working, so we shift to detection and response. Each of us carries at least one computer in our pocket that is as powerful as our desktop from five years ago; and it is always on, always connected.
Technology and protection are necessary, but we must shift our focus to what matters most – Dave, the weakest link. Our duty as security practitioners is to focus on continuous user education and awareness, but we must be careful with the approach we take.
When you are creating a security awareness program, consider these things:
- Make it relevant. Make it resonate with your audience. Give real-life examples from work or personal experience to show why your message does or does not make sense.
- Praise and reward. Use positive reinforcement. Take five out of a hundred people who clicked on a phishing email and report “we had ninety-five percent resilience rate”, instead of “we had five percent failure rate”.
- Test, train, and test again. Consistency is important. Use training exercise results to tweak your program.
- Just in time training is the best way to modify behavior. Correct mistakes as soon as users make them.
- Be creative. CBT’s are boring. Engage your audience. If you’re using PowerPoint, make it dynamic. There are many good short videos available on YouTube for free.
Focus on Dave!
Copyright © 2004-2018 American Land Title Association. All rights reserved.
This article has been used and reprinted with the permission of The American Land Title Association. The material is for general information purposes only and is not to be relied upon or used for any particular purpose. Title Industry Assurance Company, RRG and The American Land Title Association shall not be held responsible in any way for, and specifically disclaims any liability arising out of or in any way connected to, reliance on or use of any of the information contained or referenced in this article. The information contained or referenced in this article is not intended to constitute and should not be considered legal or professional advice, nor shall it serve as a substitute for the recipient obtaining such advice.