During my 20 plus years of working in the various fields that I will collectively call 'computer security,' I have never found anything to be more effective than company-wide employee awareness training. Not only is it effective, it may also be the least expensive security countermeasure that any size company can employ.
I'll even make a very bold statement that is certainly my personal opinion simply based on many years of experience. I truly believe that without a good and sound employee awareness program, where every employee is taught the ways that they can help with the overall security of their company, most other more expensive countermeasures will be much less effective.
Before I proceed with a war story or two, let me first mention a very important disclaimer. As you look at my bio, you might be thinking that I am making these statements to try to sell you something. Nothing could be farther from the truth, and you will see that as you read the rest of this article. Our company name is TheTrainingCo., but we no longer provide any of this type of training directly for companies or individuals. In fact, we no longer offer any training at all through our company. What I am going to do is to help you to develop your own internal security awareness training program using some of the processes that we used to successfully train more than 10,000 employees of many small, medium and very large companies. Most of you have within your own companies the material and the talent to effectively do this.
Will your employees be interested in this? My guess is yes. I have never gone into a company to help them with security awareness training without having a strong feeling that the employees who worked there were truly interested in learning about what the company had at risk and some of the possible threats that the company might face. Any of those threats that could cause the company to lose money or even go out of business could cost all of the employees their jobs. I don't think that you would get an argument from anyone about that possibility any longer.
When you start your training sessions, you will quickly find that the employees will begin to offer their own suggestions regarding new vulnerabilities that the company leadership might not have even considered. They will often have excellent suggestions on how to lower the risk of these vulnerabilities being exploited.
In case you hadn't noticed, we have something else brewing here. Just about everything that we are talking about in our new employee awareness training program is also a big part of the company's overall risk management process. Such a deal!
Risk, Threats, Vulnerabilities and Countermeasures
Risk management is the name of the game today. I'll be addressing it in detail in future articles, but the bottom line is that the best that we can do with all of the information security-related risks that we face today is to manage them. There are too many for any company to realistically eliminate. Even if you could do that today, there probably will be a brand new threat and/or vulnerability discovered tomorrow. I'll say it one more time before moving on: Your well-trained and aware employees are your least expensive and most effective countermeasure for whatever is going to come at you in the future.
I have attended several large meetings during the past year where senior security managers have made statements that their companies now consider the entire information security subject to be a risk management issue, and that they were getting their risk managers involved with the mitigation of these issues. As we plunge deeper into a world where everything is dependent on information systems, the threats and vulnerabilities will increase. Your employees will always be there to help.
War Game Dialing
Who would have thought that we would still be faced with a threat that was first introduced to most people in the 1984 movie War Games? (Can you believe that 18 years have passed since the movie came out?) Let's use this as our first simple but successful employee awareness training 'war story.'
The threat of people or programs dialing modems looking for another modem to possibly compromise has been with us for almost two decades now. It still happens, and some of the old 'war game dialer' programs are readily available. When we talk about a certain group of numbers being targeted within a company, we explained to our students that the dialer could easily dial the number on their desk while searching for numbers connected to possible modems. If this happened to a group of people within a company, individually, they would probably ignore the call, thinking that it was just a wrong number. If the program that called them was working properly, it wouldn't call their number again and all would be back to normal. Or would it?
Here's what we recommended that employees do if they ever hear the sound that a modem makes when it calls a person. (We had a modem call the line in the classroom to let them hear it.) We told them to simply let their supervisor know if they ever heard it again. They were not to panic or even get worried. All that they were told to do was to let their supervisor know that the call had come in on their phone.
About five months later, the supervisor who had us do the training called me and told me that four of his people had come to him in the past two hours telling him that they had been called. The supervisor notified the computer room to be on the lookout for possible war game dialing into their modem pool. We were never told if the modem pool dial was attempted, but we do know that this group wouldn't hesitate to get law enforcement involved if they suspected a possible computer crime. We also taught them how to do that during the 90-minute class which every employee in their office attended just five months earlier.
The lesson learned here is so simple. If the employees had not had their awareness level raised by formal and interesting (so that they remembered it) training, individually they would have suspected nothing. As a well-trained team, they quickly helped prevent a possible intrusion into their corporate computers. That training took place over five years ago, but I'd be willing to bet that if the war game dialing happened again today, they would be just as effective. More to come ...
Stay safe out there.
Jack Wiles is president and co-founder of TheTrainingCo and is a 30+ year security veteran. You can email him at firstname.lastname@example.org or find out more about him by visiting www.thetrainingco.com/biojackwiles.html.