Creating an Effective Awareness Program

Title – Creating an Effective Awareness Program
  • In this episode we’re gonna cover security awareness programs, culture, insider threat training requirements for federal contractors, and more! Don’t touch that dial!
  • Intro
    • Welcome back! This is episode 4 of The Insider Threat podcast, for the week of June 5th, 2017. As a quick update, I am working on a segment or two about unlikely insiders, which was inspired by a story that one of you gave me. Please keep those up. It lets me know of actual issues out there in your organizations and lets me use this as a medium to share the information to a large audience. As I said before, I’ll be sure to anonymize the stories to keep everyone out of deep water.
  • Infosec Question of the Week
    • It’s time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
    • The question last week was “In the early 1970s, John Draper discovered that he could make free long distance calls by sending a certain tone through the phone. What did he use and where did he get it?”
    • The answer was that he used a whistle that he found in a box of cereal. This later earned him the nickname “Captain Crunch”.
  • Congratulations to:
    • Brady from Milwaukee
    • Harlan from the UK
    • Annetta from Jersey City
    • Isaac from Washington State
    • And Bob from Jacksonville for getting the correct answer.
  • Here’s your question for this week: In 1997, a hacker group was angry about hackers being falsely accused of electronically stalking a Canadian family. They broke into the Canadian Broadcasting Corporation’s web site and left a message saying: “The media are liars.” The family’s own 15-year-old son was eventually identified as the stalking culprit. What was the name of this group?
  • Send your response to Be sure to include your first name, location, and the hashtag “notreallybacon”.
  • Articles
    • Our first article this week is related to an insider threat training requirement for federal contractors
  • Our next article comes from Kai Roer at A Culture of Security, Not of Blame
    • I really liked the general idea of this one and there were some good nuggets to take from it
    • “Technology continuously introduces huge amounts of security challenges and risk factors, which we keep blaming employees for not handling correctly. Blaming people for not handling poor technology correctly is – in my opinion – simply wrong. In fact, by blaming the employee for clicking on a phishing link, or opening an attachment, is similar to building a car with poor brakes, and then blaming the driver when the car crashes. Guess what, with cars the manufacturer does not get away with blaming the weakest link or the stupid driver.”
    • There are quite a few things I can agree with in here, to include the note about not blaming users for doing the wrong thing. I think he could have taken it further by saying that it is our fault – as security professionals – for not training them in a way that makes an impact. Instead of taking the time to do that, we write off our users as lost causes and invest in more technology to compensate.
    • The author appears to be anti-awareness and pro-culture. I guess my argument would be that awareness programs can be an instrumental part of building that culture.
    • What do you think? I’d love to get your opinion on this one in particular, so please let me know.
  • Instructional Segment
    • Speaking of awareness programs, today I want to try a segment that provides some actionable steps for improving your organization right away. I asked some folks on LinkedIn and Twitter some questions related to information security awareness programs, and this is a compilation of sorts of the responses that I received.
  • What goes into effective information security awareness training?
  • Purpose
    • Why does the organization have the program?
    • You can mention compliance requirements here, but I would make it subtle
    • What business functions and their associated systems need to be protected?
  • Do’s and don’ts when using information systems, and why?
    • Acceptable Use Policy
    • Account Management Policy
    • Data Retention or Encryption Policies
    • Cater to the applicable policies for the audience
  • Description of the threat
    • Start with a question about the most important parts of their job and what IT assets are critical for their success in accomplishing them
    • Now talk about the critical systems for the organization as a whole, such as payroll, benefits, timekeeping, shipping, estimating, email and other communications, or whatever else the organization relies on for business
    • “If we didn’t have <fill in the system>, the organization would come crumbling down”
    • The loss of those systems defines the threat, from stopping a single employee from being able to do their work to the entire organization being unable to accomplish its mission
  • Examples of the threat
    • Here you can talk about any stories you have, as well as anything that the audience members can share
      • Something like “that time that Tom got a virus and had to try to work without a computer for 3 days. He thought he would get fired”
    • Examples of real incidents
      • WannaCry
      • Popular breaches, like Target, Home Depot, and Chipotle
      • The suspicion that other countries are trying to impact election outcomes
    • Bring it home (both the family and the firm)
      • What if a hacker was able to get your bank account information?
      • What if they could see your children through your computer’s webcam?
      • What if they were able to hack into your alarm system to break into your home without setting off any bells?
  • Responses to incidents
    • This is where you tie in your own organization’s policies and procedures to actionable responses to suspected security events
      • The members of the audience are the ones that have to use these systems every day.
      • I had a user in the past that reported a suspected virus on their system…
        • Sent an email to them afterword expressly thanking them for their contribution to the security program
  • What makes an effective information security awareness program?
  • Relevance
    • Give them information that will actually apply to their work and home lives
      • One idea I had recently was to start at the very basics for securing their home networks. Even if employees don’t care about the information security program for the company, they should be concerned about protecting their personal lives.
      • Maybe start with teaching them how to secure their social media accounts, and home wifi or computers and go from there
      • The basics are the same and it greases the wheels in a way that will let you segue to organizational security later
  • Engagement
    • Get them involved
      • This applies to any type of training. If you just stand at the front of the room and lecture them, they will fall asleep
    • Get them to ask and answer questions
      • Who knows, they might think of something that you didn’t when you were putting your speaking points together
    • Break them up into groups for further discussion and exercises
      • You could give them some symptoms of a potential security issue and have them come up with the proper reporting procedures, based on how your organization does it
  • Timeliness
    • Frequency
      • Most are annual
      • Might be different for your organization, depending on any compliance requirements
      • One organization I heard of had a security question….
        • Even if they cheat, it still gets them talking
        • Their participation could even be used for annual performance evaluations or keep them from having to do the formal annual awareness exam
    • The key is to get them thinking about security all the time, not just the 20 minutes a year they are taking a test or sitting in a classroom
  • Support
    • Most important
    • Management support for the information security program
      • If the CEO or general manager walks into the class and just says something like “Pay attention to this. It’s very important.”
  • Bottom line: the most effective awareness program is one that works best for YOUR organization.
  • Thought of the Week Segment
    • Our thought of the week comes from Bruce Schneier, who said “if you think you can solve the security problems with technology, you don’t know technology”
  • Outro
    • Thank you for listening to episode 4 of The Insider Threat podcast. Please remember to subscribe and review in your favorite podcast app, and also share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions.
    • You can contact me on twitter @stevehigdon or email me at
    • Thanks again and I’ll see you folks next time!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s