One of the challenges we face in information security is our world is in a constant change - new technologies are released, business requirements change and bad guys are constantly evolving and adapting. As a result, to keep your security solutions effective you have to keep them updated. Security awareness is no different, I recommend updating your awareness content at least once a year. Here at SANS we update our content twice a year, including a complete review of each training module by our Board of Advisors. As a result, we end up updating about 30% of our content every six months. I wanted to share with you some of my observations and lessons learned from this process.
- One of the first things I'm noticing is how interrelated policies and data protection are, in many ways the two are the same. The vast majority of security awareness is about basic security concepts and common sense. Examples include how to use email safely, the importance of keeping your mobile devices updated, what is encryption, how to protect your passwords, etc. In addition most of these awareness topics apply not just to work but to people's personal lives. Policies and data protection are different, these are very specific organizational controls. In the past I would usually have two separate training modules, one on data protection and one on policies. But over time I've repeatedly seen that most policies are focused on data protection, and most data protection is driven and implemented through policies. As such we combined these two modules into a single module - Data Protection.
- Mobile devices is where I currently see the most volatile change. First, the technology itself has developed tremendously, smartphones and tablets are literally nothing more then a portable computer, as such they have the same security requirements. The challenge in awareness is most people do not realize this. In addition, personal devices are beginning to invade the work environment. As such this is an area we are constantly updating awareness training, and one we see alot of concern from organizations.
- The concepts of social engineering never change, but the latest attacks leveraging it do. It seems like we are seeing more and more phone based social engineering attacks, for example criminals pretending to be tech support and calling people to inform them their computer is infected. They then need remote admin access, and/or have the victim install specific software. As such this is a common training module I always like to update.
- One of the areas I have seen the most positive feedback on is awareness training designed specifically for the family and personal use. In the past we had a module called "Protecting Your Kids Online" which was a big hit with people. We had so much positive feedback that we created two new modules, one on "Protecting Your Home Network" and another called "Protecting Your Home Computer".