Planning a Security Awareness Program
The human element is the weakest link in the security chain, and the security of a system is only as strong as the weakest point of that system.
A study conducted by Stanford University in 2020 and Verizon’s 2022 Data Breach Investigations Report (DBIR) shows over 80% of data breaches were caused or associated with human elements. The average cost of a data breach has been increasing every year; as an IBM report indicated, it has risen from USD 3.86 million per breach in 2020 to USD 4.35 in 2021 in the forms of direct costs of breaches such as cleaning the systems, remediation, labor cost and other costs such as loss of revenue, valuation, and reputation.
Security awareness programs are the key to minimizing this vulnerability and taking advantage of:
Building an effective security culture in the organization and spreading the principle that all employees are members of the security team.
Increasing the efficiency of technical defense systems.
Increasing clients’ confidence and trust in the organization
To achieve these benefits, a security awareness program proposal containing the following components would be essential:
Audiences: each group of audiences would be provided with modified materials based on their needs and security priorities in the form of scheduled courses (physical or virtual), asynchronous computer-based training, emails, and social media.
General security guidance, as minimum awareness level, for all three groups. This portion could contain topics such as email security, phishing, password security, ransomware, information security, social engineering, safe internet habits, social media presence with its security risks, removable media, wireless network securities, physical security, data management, remote connections, security incidence, and reporting, and privacy.
In-Depth. These resources would be carefully crafted for employees based on their special roles in the organization (IT, HR, management, …) and third parties based on their relationship and responsibilities in supply chains or maintenance.
Compliance, which would be performed as a role-based program.
Evaluation and Metrics
Training quiz and test
Password strength and periodic changing ratio
Policy and audit acknowledgment
Clean desk application