Security Awareness 培训

了解如何为员工提供安全意识培训,以满足法规遵从性要求.

探索平台

What is Security Awareness 培训?

Employees are part of an organization’s attack surface, 确保他们拥有保护自己和组织免受威胁的专业知识是健康安全计划的关键部分. If an organization needs to comply with different government 和 industry regulations,例如 FISMA, 一种总线标准, HIPAA or 萨班斯-奥克斯利法案,必须为员工提供安全意识培训,以满足监管要求.

取决于组织中可用的内部安全资源和专业知识, 引入第三方来协助安全意识培训服务可能是有意义的. Regardless of whether outside assistance is leveraged, 组织的领导者应该了解建立安全意识培训计划的内容, 参与, 和 offer feedback throughout the process.

Types of Security Awareness 培训

每个组织都会有一种更符合其文化的培训方式. There are many options, including:

  • 课堂培训这使得教师可以看到学习者是否在整个过程中投入并做出相应的调整. It also allows participants to ask questions in real time.
  • 在线培训: This scales much better than in-person training, 而且,由于学习者可以在任何方便的地方学习内容,因此它可能会对员工的工作效率造成较小的破坏. 这也可以让学习者按照自己的节奏学习材料.
  • 视觉教具休息室里的海报不能成为安全意识培训的唯一来源, but when done effectively, they can serve as helpful reminders.
  • 钓鱼活动当前位置没有什么比意识到自己上当受骗更能吸引学习者的注意力了. 当然,没有通过网络钓鱼测试的学习者应该自动参加进一步的培训. 

In some cases, a combination of these may be the best option. Security awareness training is not a one-和-done exercise. Regular security training through multiple media is ideal, especially if the organization has high turnover rates.

Security Awareness 培训 Topics

在决定覆盖哪些主题时,还应考虑组织的独特威胁概况. Possible topics may include but are not limited to:

  • 网络钓鱼: Employees should be educated on how to spot 和 report 网络钓鱼 以及与可疑链接交互或在欺骗页面上输入凭据的危险. 网络钓鱼 extends beyond the traditional Nigerian prince email scam. Overviews should cover spear 网络钓鱼, suspicious phone calls, contact from suspicious social media accounts, 等. 这里也将提供影响其他类似组织的网络钓鱼企图的示例.
  • 物理安全: 物理安全 requirements can vary on an organization’s nature. Since businesses should already have a physical security policy in place, 这是一个很好的机会,可以确保员工了解政策中适用于他们的部分, 比如锁好书桌抽屉,制定允许客人进入办公室的规定. 培训 should also review how to report physical security risks, 比如楼里有人没有佩戴客人徽章,或者敏感数据暴露在外.
  • 桌面安全: 概述未能在适当的时间锁定或关闭计算机以及将未经授权的设备插入工作站的潜在后果.
  • 无线网络解释无线网络的本质,并概述连接不熟悉的网络的风险.
  • 密码安全复杂的密码要求和提示员工定期更改密码应该已经被强制执行, 但是密码安全培训对于解释重复使用密码的风险仍然很重要, using easy-to-guess passwords, 和 failing to change default passwords immediately. Authorized password management tools may also be covered
  • 恶意软件: A training session on 恶意软件 should define the types of 恶意软件 和 explain what they are capable of. 用户可以学习如何发现恶意软件,以及当他们怀疑自己的设备被感染时该怎么做.

Measure Effectiveness of Security Awareness 培训

有一个适当的过程来衡量培训的有效性是必不可少的. One way to do this is through a quiz. 在部署培训之前,应该进行测试,以获得基线测量,然后查看发生了什么变化. If 网络钓鱼 exercises are conducted on a regular basis, 组织应该跟踪员工对这些训练的反应是改善了(还是恶化了)!) after they’ve undergone security awareness training.

While it may be slightly less scientific, 随着时间的推移,随着员工和资产的增加,组织还可以通过寻找安全事件数量和类型的趋势来确定培训的影响. 让一个人在办公室里走来走去寻找暴露的密码也可能很有趣, 打开电脑, 并对潜在的物理安全风险进行几次前后的培训,以确定行为是否发生了变化. 

Consider the Learner’s Perspective

Security may be a top priority for the security team, but other teams will have their own set of goals. Organizations should do their best to respect that time—ideally, 培训应该根据员工的角色进行定制,以确保所有的培训内容都与个人及其所做的工作相关.

这可以让员工专注于重要的事情,并尽快回到工作中. It also ensures that the riskier users at an organization,例如 domain administrators, receive the right type of training that addresses vulnerabilities 和 threats that are more relevant to the work they do.

在与员工一起回顾政策和最佳实践时,一定要解释清楚 为什么 each one is important. 如果用户了解政策的全部背景,并相信这是正确的做法,他们就更有可能遵守政策. 例如, 从互联网上安装随机软件的风险变得更加明显,因为有人会很快发现一个伪装得很好的软件 ransomware can encrypt all of the files on their workstation.

最后, 如果有人在培训中遇到困难,组织应该避免点名个别员工,或者表现得居高临下. 而不是, 团队领导应该专注于创造一种环境,让每个人都能轻松地提出问题和报告事件.

At the end of training, 用户应该感到有能力帮助保护组织,并兴奋地与其他团队合作,以创建更安全的环境. 了解贵组织的独特需求和文化将是使培训成功的关键.

Read More About SecOps

Security Operations: Latest 新闻 from the 博客