Security awareness to start.

Someone recently asked about how to get going on some training for their corporate users. I would approach it like this:

1. Internally 'publicize' some recent incidents to your user community. Reference such things as and break down how they occurred and where the mistakes were made. Pick some examples that are from companies in the same or similar businesses. Don't get overly technical here. The intent is to get everyone to understand that their actions, no matter how small, contribute to the company being able to stay out of the newspaper. An incident will hurt the company, and therefore could impact their job.

2. Put together some high-level (plain english) training material such as a Frequently Asked Questions on the areas in which you get the most questions from your participants from step 1. Make sure every question is clearly answered.

3. Follow this up with a more formal awareness program to help reinforce good decisions. Host a lunch-and-learn that breaks down your policies in plain english. Make this as interactive as possible. Add some role playing.

No comments:

Post a Comment