Continuous Improvement: Security Training Edition
Review the Training Program Annually
Though the need for updates is sometimes obvious, other times it happens more gradually. The way to deal with gradual changes is to review the information security training program annually. Changes to the organization’s size, workforce, products, data, processes, software, or new acquisitions can all affect the content needed to keep the organization secure. Are employees now using personal devices to access work resources? Have services moved to the cloud? Are there new processes for authentication, like biometrics or MFA? These are all situations that would justify an update to security training.
Stay Up to Date on Current Threats.
Updating training isn’t just a reflection of your organization. It can help protect against the most recent threats, even before security appliances and software can detect them. Changes in the environment, such as changes in governmental or industry regulation, can also drive changes in training. Internal threat hunting, threat feeds, or industry reporting can all generate leads on the most relevant content for users to learn.
Do Regular Assessments and Follow Up on the Results.
A common and simple way to assess employee security awareness is a phishing assessment. Sending out a non-malicious phishing email can identify users for additional training and provide useful metrics. Additionally, it keeps users’ skills sharp.
If you choose to do phishing assessments, it’s important to follow up on the results. Departments or users with difficulty identifying risky emails may require additional training, or they may be considered for a more restrictive security profile to mitigate the risk.
Do you want an external resource to help with phishing assessment, gap analysis, or security training development? Contact Sedara today!