Duration: 2.5 hours for 20 topics
No one doubts that the digital security posture of an organisation is now a board level issue, and that’s a big change from five years ago. However, Executive anxieties need to be matched with a long-term structured strategy that everyone in the company ecosystem is willing to invest in so that the highest standards of Information Security are maintained. Inevitably, this will require a change in company culture as most staff members view this issue as belonging to the IT Department. They often forget that the consumption of IT Services is often the point of maximum vulnerability for the company. It is here that the user can compromise the security of the company by becoming a victim to phishing tactics or acting in an inappropriate or negligent manner, regrettable situations that expose the organisation to cyber risk.
So what are the lessons we can learn from implementing an appropriate strategy to changing human behaviour in this area?
Well the first is to recognise that changing culture in Information Security practices is no different than any other change management process within a company. It is as difficult as any other change management process requiring significant effort and resources to make an impact. Another lesson is that quality matters. Too often staff security training is a ticking the box exercise, with very little energy being expended on planning or on content. The latter is one of the most important considerations in determining the success of a culture change initiative. Take e-Learning content for example. The industry is awash with boring, bland, and often dumbed down IT Security training courses. It is no wonder that there are cases of low staff participation that necessitate significant management intervention. E-Learning courses should reflect the digital threat that we all need to combat. Another key lesson is ensuring the correct targeting of high-risk groups. Rather than “blanket bombing” all staff with general cyber security communications and policies, organisations should identify high-risk staff groupings and provide tailored messaging and surveying. Examples of these staff groups would be privileged users, such as Administrators and Information Asset Owners. Clearly, the communications sent to these high level positions would be more detailed than what would go to the overall user population.
In many cases companies are struggling to get messaging out to everyone. So a shift in priorities is required. Be prepared for the long haul. The changing of IT Security culture is a multi-year project. It’s not possible to deliver all the policies and education that are required in a short period, as the user base will become fatigued.
The best approach is to build up your communications over time. Planning, communication, implementation and measurement, to gauge progress and the Return on Investment (ROI), are all very important elements of a successful staff security training programme and InfoSec Skills is here to help, with online Security Awareness training for staff, management reports to inform attendance, grades and templated forms/documents to help plan, communicate, execute and measure change in behaviour.
Why should you attend?
Because Information Security is everyone’s responsibility - Because cyber security threats have increased significantly - Because training is an ISO27001 requirement (A.7.2.2 Information security awareness, education and training) - Because it is your company policy
Knowledge of IT would be advantageous but not essential.
The course consists of 20 topics but organisations can choose which topics they would like to appear in a security awareness programme for their staff:
|Browsers||Data Destruction||Data Protection||Cloud|
|Social Networking||Mobile Security||Hacked||BYOD|
|Physical Security||Security Monitoring||Protecting Your Computer|
|Peer 2 Peer||Wireless Security||Weakest Link||Security Policies|
At the end of the course the student must undertake a quiz to assess their understanding of the information provided across all topics and to see if the objectives of the course have been met. A completion certificate is then provided once the student achieves a minimum score in the quiz. Attendance and grade reports are accessible to management so that the results can be fed into the metrics framework to allow for measurement of progress over time.
Branding and Hosting
We are happy to fully brand the e-Learning course to an organisation including modifying the content and audio to reflect your own policies and if the preference is to use your own LMS then that is no problem at all as we will provide all of the topics as individual SCORM packages that you can host yourself.
With our bulk provisioning service we can import your users and have you up and running within hours. SImply order the number of licenses that you require and email the list with firstnames, lastnames and email addresses to firstname.lastname@example.org for import into your own manageable group. All users will receive their login information by email and designated accounts can be given management permissions with access to activity and grade reports for the whole group.
Please contact us with any questions.
Bulk discounts are also available, just ask us for the details.