A solid security awareness programme must include comprehensive instructor-led training done periodically, ” says Amir Kolahzadeh, CEO, IT SEC. “It should be succeeded by constant reminders through print and digital forms. It is also ideal to integrate user awareness schemes in the training and orientation programmes for new employees.
Cybersecurity awareness is an ongoing process and every company should have regular sessions planned out.”
In addition, Mr. Kolahzadeh says, currently, there is still no industry standard best practices enforced by a governing body. “We believe awareness training must be categorised into four groups C-levels, managers, users and IT personnel,” he explains. “The topics should be tailored in accordance with these categories.”
Measuring the effectiveness of a user awareness programme is just as important as planning and executing it.
Effectiveness of such programmes can be determined as a by-product of penetration testing. While uncovering the vulnerabilities of the organisations, the Pen Test can help determine whether the employees have been putting their learnings into practice.
Mr. Amir Kolahzadeh agrees, saying simulation-based techniques are the most effective metrics of a programme’s success.
Proprietary tools can be deployed pre-, during and post-cybersecurity awareness campaigns to fully analyse if the campaign’s key performance indicators have been met. For example, one of our basic tools is a fake phishing campaign designed for a particular organisation where we can monitor, analyse and drill down to the person and IP addressed that clicked on the emails.”
~ Security Advisor Issue # 17