May 15, 2019
In the build-up to a security education program roll-out, it's essential to arm yourself with the information you need to make sure it works.
We've already covered 11 tips for getting the most out of your program; and today, we're looking at 5 of the most common mistakes organisations make when implementing their security education program.
1) Failing to Raise Awareness
If an organisation attempts to roll-out a widespread security education program without any explanation or context, it’s likely to be met with resistance. After all, training requires a voluntary investment of time and energy to engage with – and without any explanation of why the training is important, or how it’ll benefit the employees themselves, there’s no reason for staff to engage with it.In order to create meaningful buy-in, it’s essential to lay the groundwork for your education program. That means raising organisation-wide awareness for security; demonstrating the need for security training, and highlighting the benefits it will impart.
2) The ‘One and Done’ Mentality
Many organisations invest into a single training module, and grow frustrated when they fail to see an immediate and significant improvement in security.Secure behaviours take time to develop, and a single training module won’t be enough to develop and reinforce the best practices of security. A security education program needs to be ongoing, using a combination of concise, engaging and accessible eLearning courses, alongside periodic testing and open security discussions.
3) Using Security Education to Put Out Fires
Security training is an extra cost for an organisation to justify; and when the economic climate is difficult, many businesses only justify the expense of security education when it’s already too late.Whilst it’s important to improve security after a major incident, it’s far better to be pro-active, and enact training before a problem has occurred. A data breach can cost a large organisation millions of pounds, and severely damage its professional reputation. Even if security education appears to be a large cost, its expense pales into comparison when compared to the costs of a data breach.With increasing visibility into vulnerabilities and remediation costs, it’s easier than ever to present the business case for security investment. Instead of waiting for a fire to happen, it’s essential to be pro-active, and tackle problems before they appear.
4) Only Training IT Staff
Developer security training can have a huge impact on security, massively reducing the number of vulnerabilities making it into test, and reducing the costs of remediation. Crucially though, security is an organisation-wide problem – and security education needs to be rolled-out throughout your company.Security breaches come in all shapes and sizes, including bugs in code, poor password practices, insecure mobile devices, and even social engineering attacks. Mistakes can happen in any area of your business, and it’s essential to train your employees to recognise and act upon security issues whenever, and wherever, they arise.
5) Not Thinking About Security Education
It’s important to have defined processes for identifying and remediating vulnerabilities – but it’s proactive security education that will have the biggest impact in improving the security of your organisation.The longer a vulnerability is left unchallenged, the more it costs to effectively rectify. Security issues identified in post-production cost 30x more to resolve than those identified during design and architecture, making it essential to rectify problems early in the software development lifecycle.Security education provides your organisation with the tools required to act upon vulnerabilities as quickly and effectively as possible. It empowers individuals from all areas of your business to identify and raise awareness of any security threats they encounter in their day to day life. Threats can then be identified and effectively acted upon before they become a serious (and costly) problem.To learn more about the most common mistakes organisations make when implementing a security education program, you can download our whitepaper.