User training for your organization

    Information security is 90% work with people.

    I will never tire of repeating the phrase above. No matter how technically perfect your security system is, no matter how flawlessly and clearly the security management system is built, there is always a human factor. People are distracted, forget, "clog" or simply ignore some rules and orders.

    Under habrakat I will describe a rather effective way to reduce the percentage of incidents related to the human factor.

    Be available

    You do not need to close in your office and walk along the corridors with an important view. See how the guys in the marketing departments or sales are working. Remember that you need to give your thought as if you want to sell it.
    There is no need to send an avarness presentation by mail, conduct it personally, take more time for questions and comments, even if they will repeat 99% of what was in the presentation.
    In the avrness presentations, be sure to indicate your contacts for communication.

    From personal experience: after a couple of avarness presentations, employees approached and wrote not only with incidents, but also with comments, additions and tips regarding the presentation itself, the information security system, etc.

    Be more simple

    Think about the fact that many things that are elementary for you as an IT professional and / or security professional may simply be incomprehensible to other employees of your organization. No need to spill your speech with purely specialized or slang terms. Try to explain and convey everything with simple words and simple examples. Likbez start with simple things, explain what information is, what its properties are. And not by a simple enumeration, like: confidentiality, integrity and accessibility, but show this property using the example of your organization or a common example.

    Be regular

    Do not think that, after training or educational program, you can completely forget about it. Basic “courses” should be repeated periodically (for example, once a year) with all employees. It is also good practice to hold similar presentations with newcomers.
    Nowadays, the practice of introductory courses is very common, usually it takes 1-2 days, during which they gather newcomers and tell them about the organization, functions, departments and rules. Make your presentation at such introductory courses so that new arrivals know you, know what to do and where to turn in case of an incident.

    Make a presentation course in various areas of information security. For example, once a quarter, organize an optional educational program for employees, tell them about the risks, vulnerabilities, and how to deal with them at the user level.
    Do not forget that in addition to viruses, trojans and spam, there is physical penetration, phishing and even commonplace theft. Try using these presentations to increase the vigilance and observation of employees.

    From personal experience: after one of the presentations on the protection of confidential and internal information, there was a message from an employee that the personnel department documents were posted in the lobby (adjacent to another organization): For internal use.

    Remember the main principle of building an information security system:Safety starts with every employee!

    UPD: Corrected incomprehensible wording and errors, typos. Thanks ericbro

    Also popular now: