After building IT systems and departments at national and international startups, I recognized the same trend would repeatedly occur. I set out to build a series of guides to help navigate the many IT decisions a leader will make before hiring an IT team. Any vendor, service, or product that I endorse is purely the result of their ability to serve your business — I have no stake in any of them. If this article is helpful and you’d like to explore consulting engagements, please message me or visit my website — www.dave-bour.com for more information.
Often considered the least sexy of all IT endeavors, Security Trainings can sit on the ‘to-do’ list for a very long time. A barrier to checking this one off is simply figuring out what it should cover.
We’re going to tackle this in the same format as a college essay, let’s get started. I’ve outlined generic topics that any company should cover with their employees, along with some tips to help with engagement.
Whether you see Security Training as a checkbox or an opportunity to the company, and people personally safeguard information — you’re right.
Take a minute and realistically prioritize this task. Make it a quarterly objective. In an effort to keep yourself honest, tell your boss that you expect to complete and perform this training in Qx.
Create an attendance sheet or checklist for tracking purposes, or for a fee, use a site such as Aptible to upload your trainings and automatically track attendance as they complete a review of the slide deck.
Before We Start
Start with a list of topics you’d like to cover. Here are a few tips to keep in mind for this portion of the work.
- Don’t let perfection keep you from deployment. A nice template and neat formatting will lend credibility but don’t let this hold you back from getting this into the hands of your staff.
- Iterate and keep it current. Put your name on Slide 1 as the maintainer. Use the Pareto Principle to get most of the way there and interate as you perform the trainings.
- Act As-If (Link Warning — Graphic Language). Look — everyone’s security posture is lacking. Don’t let poor practices keep you from highlighting the way things should be done. Use this training as an opportunity to reset expectations around security.
- Use a lot of analogies. Don’t force your audience to learn a bunch of IT concepts. It’s your job to make them relatable.
More than anything — make this relateable! Security concepts are so opaque to most people that you can take this opportunity to help them better secure their personal information, too. Whether you see Security Training as a checkbox or an opportunity to help the company safeguard information — you’re right.
Creating an Outline
Using your company’s slide template for continuity. Keep the slides concise and explain the topics in person or in a video.
- Start by giving them a reason to care about this. “When we disregard security, we’re risking our reputation, financial resources, and intellectual property that you and your colleagues work so hard to create. Our product or service is the result of our team’s collective diligence.”
- Security is risk management. It never gets to zero.
- Ease of use tends to comes at the expense of security. If it’s easy, it’s probably not secure.
- There are very few single things that reduce your risk. Strong security is the result of combining many little things.
- Give an example of a Security-First mindset approach to a common problem in your workplace.
Outline Device Security Standards
- Reason behind BIOS/Firmware/Recovery Password (Why would someone steal your computer? Ask the crowd for a few examples. Hint: Thieves are motivated by what? A: To sell it. This prevents them from reformatting it.)
- Reason behind full disk encryption (If you leave your computer at Starbucks, someone could take the hard drive out and plug it into their computer as a USB drive to read all your data).
- Use a strong password.
- Don’t let anyone use your work devices.
Outline Application Security Standards
- Use a strong password, ‘Sign in with Google’, or password manager if SSO is not provided by your company.
- Multi-factor Authentication. I take a break here to explain why this is important. Example — someone steal’s your Seamless password. What are they going to do? Order a sandwich? Actually, their bot is going to try your email as username and password on Chase.com, bankofamerica.com, etc. And if you’re human, you’re using that same password somewhere else. Now have them pull up haveibeenpwned.com and enter their personal email address. Use this as a demonstration of why MFA is so important — professionally and personally.
- Using Chrome Profiles (Keep work and personal separate. Show them how to have a separate workspace for personal items).
Outline Internet/Network Security Standards
- Use Corporate Guest WiFi on personal devices.
- Looking for the ‘S’ in HTTPS, FTPS, etc. Explain what the S means and why it is important.
- Phishing! Show examples of emails! Explain why they exist!
Outline Physical Security Standards
- Don’t share your badge.
- If you hold the door for someone, they should tap their badge.
- Sales-people and others who approach the front desk asking to see someone or stating they have an appointement — do not give them any more information than they already have and do not let them proceed without an escort.
Performing the Training
Now that you’ve created a deck, you can begin performing trainings! This is a big step for the company as it will shift the spotlight from a culture of ease to a culture of security-first.
Perform a full training for all employees to establish a baseline. Perform a light version of this training with new employees and establish a quarterly cadence for a full training for new hires since the last one was performed.
Wizer offers free trainings in digestible, 1 minute videos.
These three recommendations are just the tip of the iceberg when it comes to organizational technology postures. Please reach out if you’d like a consultation customized for your business.