Training users of their organization

Information security is 90% work with people.

Phrase above, I never get tired of repeating. No matter how technically perfect your security system is, no matter how flawlessly and clearly the information security management system is built, there is always a human factor. People are distracted, forgotten, “slaughtered” or simply ignore some rules and practices.

Under habrakat I will describe quite effective way to reduce the percentage of incidents related to human factors.

')

Be available

No need to close in your office and with an important view to walk along the corridors. See how the guys work in marketing departments or sales. Remember that you need to submit your idea as if you want to sell it.
You do not need to send an avarness presentation by mail, spend it in person, take more time for questions and comments, even if they are 99% repeat what was in the presentation.
In avrness presentations be sure to include your contacts for communication.

From personal experience: after a couple of avarness presentations, employees approached and wrote not only with incidents, but also with comments, additions and tips on the presentation itself, the information security system, and so on.

Keep it simple

Think about the fact that many things that are basic for you as an IT specialist and / or a security specialist may simply be incomprehensible to the rest of the staff of your organization. You do not need to sprinkle your speech in purely specialized or slang terms. Try to explain and convey everything in simple words and simple examples. Begin to start with simple things, explain what the information is, what its properties are. And not by a simple listing, like: confidentiality, integrity and availability, but show this property using the example of your organization or a commonly understood example.

Be regular

Do not think that, having conducted training or educational program, you can forget about it for good. Basic “courses” need to be repeated periodically (for example, once a year) with all employees. It is also a good practice to hold such presentations with newly arrived employees.
Nowadays, the practice of introductory courses is very common, usually it takes 1-2 days, during which newcomers are gathered and told them about the organization, functions, departments and rules. Speak with your presentation on such introductory courses, so that newcomers know you, know what to do and where to turn in case of an incident.

Make a course of presentations in various areas of information security. For example, once a quarter, organize an optional educational program for employees, tell them about the risks, vulnerabilities and how you can deal with them at the user level.
Do not forget that apart from viruses, trojans and spam there is physical penetration, phishing and even banal theft. Try using such presentations to increase the vigilance, observation of employees.

From personal experience: after one of the presentations on the protection of confidential and internal information, there was a message from an employee that in the hall (adjacent to another organization) documents of the personnel department were posted with the note: For internal use.


Remember the main principle of building an information security system: Security begins with every employee!

UPD: Corrected incomprehensible wording and errors, typos. Thanks ericbro