1 00:00:00,005 --> 00:00:01,007 - [Instructor] Security depends upon 2 00:00:01,007 --> 00:00:03,008 the behavior of individuals. 3 00:00:03,008 --> 00:00:06,001 An intentional or accidental misstep 4 00:00:06,001 --> 00:00:08,008 by a single user can completely undermine 5 00:00:08,008 --> 00:00:12,001 many security controls exposing an organization 6 00:00:12,001 --> 00:00:14,004 to unacceptable levels of risk. 7 00:00:14,004 --> 00:00:17,000 Security training programs help protect 8 00:00:17,000 --> 00:00:20,000 organizations against these risks. 9 00:00:20,000 --> 00:00:21,007 Security education programs 10 00:00:21,007 --> 00:00:24,007 include two important components. 11 00:00:24,007 --> 00:00:26,009 Security training provides users 12 00:00:26,009 --> 00:00:29,004 with the detailed information that they need 13 00:00:29,004 --> 00:00:31,009 to protect the organization's security. 14 00:00:31,009 --> 00:00:34,005 These may use a variety of delivery techniques, 15 00:00:34,005 --> 00:00:37,009 but the bottom line goal is to impart knowledge. 16 00:00:37,009 --> 00:00:42,002 Security training takes time and attention from students. 17 00:00:42,002 --> 00:00:45,004 Security awareness is meant to remind employees 18 00:00:45,004 --> 00:00:49,001 about the security lessons that they've already learned. 19 00:00:49,001 --> 00:00:50,009 Unlike security training, 20 00:00:50,009 --> 00:00:53,004 awareness doesn't require a commitment of time 21 00:00:53,004 --> 00:00:55,006 to sit down and learn new material. 22 00:00:55,006 --> 00:00:58,005 Instead, awareness efforts use posters, 23 00:00:58,005 --> 00:01:01,008 videos, email messages, and similar techniques 24 00:01:01,008 --> 00:01:04,001 to keep security top of mind 25 00:01:04,001 --> 00:01:07,003 for those who've already learned the core lessons. 26 00:01:07,003 --> 00:01:10,002 Organizations may use a variety of different methods 27 00:01:10,002 --> 00:01:12,002 to deliver security training. 28 00:01:12,002 --> 00:01:14,008 This may include traditional classroom instruction, 29 00:01:14,008 --> 00:01:18,006 providing dedicated information security course material, 30 00:01:18,006 --> 00:01:22,003 or it might insert security content into existing programs, 31 00:01:22,003 --> 00:01:24,007 such as a new employee orientation program 32 00:01:24,007 --> 00:01:26,008 delivered by human resources. 33 00:01:26,008 --> 00:01:29,008 Students might also use online training providers 34 00:01:29,008 --> 00:01:32,000 to learn about information security, 35 00:01:32,000 --> 00:01:34,007 or attend classes offered by vendors. 36 00:01:34,007 --> 00:01:37,000 Whatever methods an organization uses, 37 00:01:37,000 --> 00:01:40,003 the goal is the same, to impart security knowledge 38 00:01:40,003 --> 00:01:43,009 that employees can put into practice on the job. 39 00:01:43,009 --> 00:01:45,007 Let's take a look at a couple examples 40 00:01:45,007 --> 00:01:48,003 of security training and awareness methods. 41 00:01:48,003 --> 00:01:51,004 The SANS Institute Securing the Human Program 42 00:01:51,004 --> 00:01:55,000 provides online training in a number of different languages 43 00:01:55,000 --> 00:01:58,000 covering a wide range of security topics. 44 00:01:58,000 --> 00:02:01,003 Organizations can add their own customized introduction, 45 00:02:01,003 --> 00:02:04,000 and then depend upon the program to provide current, 46 00:02:04,000 --> 00:02:05,009 updated security training, 47 00:02:05,009 --> 00:02:08,000 organized into many different modules 48 00:02:08,000 --> 00:02:09,004 covering different components 49 00:02:09,004 --> 00:02:12,002 of information security and compliance. 50 00:02:12,002 --> 00:02:15,000 Managers can pick and choose from these modules 51 00:02:15,000 --> 00:02:16,005 to design a training program 52 00:02:16,005 --> 00:02:17,008 that makes the most sense 53 00:02:17,008 --> 00:02:19,000 for their organization's 54 00:02:19,000 --> 00:02:21,008 security and regulatory environment, 55 00:02:21,008 --> 00:02:25,002 customizing the training that each user receives. 56 00:02:25,002 --> 00:02:28,003 Let's take a look at another provider, phishme.com. 57 00:02:28,003 --> 00:02:31,006 Here you'll find an interesting twist on security awareness. 58 00:02:31,006 --> 00:02:34,002 Instead of simply providing security training, 59 00:02:34,002 --> 00:02:36,003 PhishMe allows you to measure the success 60 00:02:36,003 --> 00:02:37,007 of your training efforts 61 00:02:37,007 --> 00:02:41,003 by actually conducting simulated phishing attacks. 62 00:02:41,003 --> 00:02:43,003 Users receive fake phishing messages 63 00:02:43,003 --> 00:02:46,003 in their inboxes and if they respond, 64 00:02:46,003 --> 00:02:49,000 they're directed to security training materials 65 00:02:49,000 --> 00:02:51,001 that warn them of the dangers of phishing 66 00:02:51,001 --> 00:02:54,003 and help prevent them from falling victim to a real attack. 67 00:02:54,003 --> 00:02:56,008 Backend reporting helps security professionals 68 00:02:56,008 --> 00:03:00,005 gauge the effectiveness of their security education efforts 69 00:03:00,005 --> 00:03:02,002 by measuring the percentage of users 70 00:03:02,002 --> 00:03:04,009 who fall victim to the simulated attack. 71 00:03:04,009 --> 00:03:08,006 Those are just two examples of security education providers. 72 00:03:08,006 --> 00:03:09,008 There are many more out there 73 00:03:09,008 --> 00:03:11,005 that can help you quickly build 74 00:03:11,005 --> 00:03:15,004 an effective security training and awareness program. 75 00:03:15,004 --> 00:03:17,001 While all users should receive 76 00:03:17,001 --> 00:03:19,006 some degree of security education, 77 00:03:19,006 --> 00:03:22,002 organizations should also customize training 78 00:03:22,002 --> 00:03:25,003 to meet specific role-based requirements. 79 00:03:25,003 --> 00:03:28,006 For example, employees handling credit card information 80 00:03:28,006 --> 00:03:32,005 should receive training on PCI DSS requirements. 81 00:03:32,005 --> 00:03:34,009 Human resources team members should be trained 82 00:03:34,009 --> 00:03:39,004 on handling personally identifiable information, or PII. 83 00:03:39,004 --> 00:03:41,005 IT staff need specialized skills 84 00:03:41,005 --> 00:03:43,008 to implement security controls. 85 00:03:43,008 --> 00:03:46,001 Security training should be custom tailored 86 00:03:46,001 --> 00:03:49,001 to an individual's role in the organization. 87 00:03:49,001 --> 00:03:50,004 You'll also want to think about 88 00:03:50,004 --> 00:03:52,006 the frequency of your training efforts. 89 00:03:52,006 --> 00:03:55,007 You need to balance the time required to conduct training, 90 00:03:55,007 --> 00:03:57,009 with the benefit gained by reminding users 91 00:03:57,009 --> 00:04:00,003 of their security responsibilities. 92 00:04:00,003 --> 00:04:02,009 One approach used by many organizations 93 00:04:02,009 --> 00:04:04,006 is to conduct initial training 94 00:04:04,006 --> 00:04:07,007 whenever an employee joins the organization 95 00:04:07,007 --> 00:04:10,006 or assumes new job responsibilities, 96 00:04:10,006 --> 00:04:12,007 and then use annual refresher training 97 00:04:12,007 --> 00:04:14,005 to cover the same material 98 00:04:14,005 --> 00:04:17,007 and update users on new threats and controls. 99 00:04:17,007 --> 00:04:19,003 Awareness efforts throughout the year 100 00:04:19,003 --> 00:04:22,008 then keep this material fresh and top of mind. 101 00:04:22,008 --> 00:04:26,000 One last note on security education programs. 102 00:04:26,000 --> 00:04:29,002 The team responsible for providing security training 103 00:04:29,002 --> 00:04:31,007 should review materials on a regular basis 104 00:04:31,007 --> 00:04:34,005 to ensure that the content remains relevant. 105 00:04:34,005 --> 00:04:36,006 Changes in the security landscape 106 00:04:36,006 --> 00:04:38,005 and the organization's business 107 00:04:38,005 --> 00:04:41,004 may require updating security training materials 108 00:04:41,004 --> 00:04:43,003 to keep them fresh and relevant.