The most vulnerable asset in any company isn’t the network or the application – it is the people. People, being the imperfect beings we are, may forget passwords, forget to lock computers, or fall victim to social engineering hacks. Studies repeatedly show that adults willingly open malicious emails, give away personal information over the phone, and repeatedly give attackers enough information to breach their company’s network. This is why IT Auditors (should) care so much about policies, procedures, and training.

Note: Check out our free Information Security Training here.

Video: John McAfee explains how social engineering likely lead to the Sony breach.

Training is Serious Business

From my experience, most companies take a lighthearted approach to information security training – usually in the form of online training (or even a SurveyMonkey quiz). In general, these methods “check the box”, but do little to give employees the tools to defend themselves from hackers and phishing scams.

The most effective training sessions are typically in person, show real world examples, give clear and concise examples (like our previous post on strong VS weak passwords), provide a demonstration (often by social engineering the group in real time), and clearly communicate the consequences of violation.

Further, if an organization wishes to be truly pro-active, they should create a culture of security. This is where the internal auditor could possibly get creative in helping management identify areas that could be improved and creative ways to incentivize employees to take ownership of the responsibility to create a secure workplace.

These are the type of value-add suggestions a consultant or auditor can give to clients.

IT Audit Considerations

Training Controls:

1 Employees complete Information Security training on a semi-annual basis. Upon completion employees sign the Information Security Agreement indicating that they have received the training and agree to abide by the companies policies.

What to look for in Good IT Security Training:

1 The training should cover technical topics like social engineering, phishing, and spamming by explaining to employees how to spot scams and what actions to take when they do.
2 Includes office etiquette including clean desk policy, disposal of paperwork, and revealing sensitive data.
3 Includes recent trends and real world incidents like the Target, Sony, and Home Depot data breaches to provide context to the real world implications of IS Security.
4 Includes details on how to report a security breach to management (a hotline, online form, or IT representative’s email).
5 Covers details regarding technical communications including email, file transfer methodologies, etc.
6 Best practices around online privacy including usage of social media and blogging.
7 The training should cover the Companies major information security policies and where to find them (i.e., data classification policy, email use policy, physical security policy, access policy, etc.).
8 If possible, the training should include live demonstrations that make a lasting impact on the participants (i.e., real time social engineering, phishing emails, etc.)
9 The training should cover physical security safeguards including methods to report suspicious activity and to protect hardware (like their laptops and cell phone).
10 The training should include the consequences (to the employee and company) of failure to follow IS policies.

Any suggestions on making policies and training more effective?