How to train your staff with IT Security
October 25th, 2017
If you run a security awareness campaign, you are considering and managing the human factor, sometimes referred as human risk. Unfortunately, most awareness programs teach the audience a lot about the security problem and very little about the solution. The presenters, cyber experts and hackers, are digging into the very details of some very sophisticated cyber attacks, because they want to proof and convince the audience of their expert status and the reason and why it is legitimate to have them on stage as a trainer. But this is not in the interest of the people. Yes, it is entertaining and fun, but after all it should help the audience to improve and make it harder for the intruders. Thus, the presenter should give more priority to the solution and advise the people accordingly.
Stop telling people what not to do. Instead, tell what they should do. Give advise.
Enable them how to do it. i.e.don’t just teach importance of unique passwords, teach password managers.
Mini How-To
- I like to start the awareness program with some sort of live hacking. Showing the audience the impact of careless clicking makes them very emotional and open for your advise.
- Next, the presenter should not dig into the details of the attack. Instead they should start talking about the solution and approaches to minimize or reduce the risk.
- Conclude your awareness program with what they have learned and let the crowd ask some questions.
Question Experience
I do approximately 20 awareness presentations per year and these are the five top questions I experience the most from the audience.
- Is the iPhone more secure then the Android phone
- Is the OSX more secure than a Windows PC
- Do I need to have an anti-virus software on my OSX?
- If I do e-banking
- If I use my credit card in online web shops
Thank you for Reading
Ivan Bütler
CEO Compass Security
ivan.buetler@compass-security.com
