Security awareness training for SMBs

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Gartner: Vetting security of third-party partners in five steps Locking down security in the move to electronic medical records Security and risk management in the midmarket Identity and access management planning guide for the midmarket Information systems management for the midmarket CIOs share advice on doing more with less Get smart about patching security vulnerabilities A CIO's advice for implementing single sign-on solutions Risk management for the midmarket Using key risk indicators to sell your information security program Gartner: Vetting security of third-party partners in five steps Security and risk management in the midmarket Identity and access management planning guide for the midmarket Get smart about patching security vulnerabilities Log management tool saves big on network fixes, integrates with IPS Unified communications: Securing access to OCS Disaster recovery and business continuity planning: Know the risks Database security: Who should have access? San Francisco network lockup justifies CIO fears Security for the midmarket Locking down security in the move to electronic medical records A CIO's advice for implementing single sign-on solutions Options for outsourcing security grow, offer IT budget savings Network access control: Pointers for getting the knack of NAC Stopping malware viruses from attacking Web 2.0 technology Virtual servers no escape from IT security management concerns Unified communications: Securing access to OCS Unified communications security: How safe is it? Risk assessment frameworks easy to employ Midmarket regulatory compliance management: Don't let your guard down

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

s from the office is for business purposes only. Pornography and gambling sites, besides opening the company to legal liability, are vectors for malware. This needs to be explained to employees in terms they understand.

The National Institute of Standards and Technology (NIST) has an excellent publication, SP 800-50, with templates and guides for what should go into a security awareness training program. The 70-page document is available for free in PDF format from the institute's Web site.

In, out or Web?

Traditionally, there have been three ways to set up a security awareness program: turn to in-house staff members or a training department, hire an outside training company, or use Web-based or computer-based training courses. All three options can be costly and use resources SMBs don't have.

So, what alternatives are there for an SMB wanting to bring its staff up-to-snuff on information security? There are two options, which are a slight variation of the three traditional approaches. An SMB can still use in-house resources, depending on the scope of the training, or purchase a Web-based or computer-based training program. In addition, SMBs can also be creative, putting up colorful and inexpensive security awareness posters around the office as a gentle reminder.

If your IT department can spare one or two people to assemble a training program, a tailor-made in-house program might be the way to go. A one-day or even a half-day class assembled around the NIST guidelines, or other materials, should be sufficient to cover the key points employees need to know about computer security.

For Web-based and computer-based training, there are a number of reasonably priced alternatives targeting the SMB.

An interesting package of training products comes from Native Intelligence Inc. in Glenelg, Md. The company offers Web-based training, newsletters and clever posters with security tips. All the materials can be customized and branded with your company's logo. Native Intelligence also updates its materials regularly. The programs keep track of who completed the courses, useful for certifying for compliance that everybody in the company, in fact, took the required security training.

Similar Web-based training is offered by UK-based Easy i Inc., which customizes training to suit individual company needs. It also offers off-the-shelf products. The Security Awareness Co. has Web-based training, videos, live instructors and role-playing and simulation games.

The most novel approach is from National Security Institute's SECURITYsense, which delivers security messages in HTML-based email newsletters and pop-up windows directly to employee desktops. It bills itself as the low-cost alternative at $995 per year for 5,000 employees.

Whichever program you choose, make sure it meets your compliance requirements and can verify, for auditors and regulators, who took and completed the courses. With these approaches, an SMB can easily meet compliance standards for security awareness training.

Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He also runs The IT Security Guy blog at http://www.theitsecurityguy.com.

Rate this Tip To rate tips, you must be a member of SearchCIO-Midmarket.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.