保安意识培训

安全意识培训的种类

Every organization will have a style of training that’s more compatible with its culture. 有很多选择，包括:

• 课堂培训: This allows instructors to see whether learners are engaged throughout the process 和 adjust accordingly. 它还允许参与者实时提问.
• 在线培训这比面对面的培训效果好得多, 和 it will likely be less disruptive to employee productivity since learners can work through the content from any location at their own convenience. This can also allow learners to work through the material at their own pace.
• 视觉教具: Posters in the break room cannot be a lone source of security awareness training, 但如果做得有效, 它们可以作为有用的提醒.
• 钓鱼活动: Nothing captures an learner’s attention quite like the realization that they’ve fallen for a phish. Of course, learners who fail the 网络钓鱼 test should be automatically enrolled in further training. 

在某些情况下，这些组合可能是最好的选择. 安全意识培训不是一劳永逸的. 通过多媒体进行定期的安全培训是理想的, 尤其是如果公司的人员流动率很高的话.

安全意识培训主题

An organization’s unique threat profile should also be factored in when deciding what subjects to cover. 可能的主题包括但不限于:

• 网络钓鱼应该教育员工如何发现和报告 网络钓鱼 和 the dangers of interacting with suspicious links or entering credentials on a spoofed page. 网络钓鱼超越了传统的尼日利亚王子电子邮件骗局. 概述应该涵盖鱼叉式网络钓鱼, 可疑电话, 来自可疑社交媒体账户的联系, 等. Examples of 网络钓鱼 attempts that have affected other similar organizations will also be helpful here.
• 物理安全物理安全需求可能因组织的性质而异. 因为企业应该已经有了物理安全策略, this is a great opportunity to make sure employees underst和 the parts of the policy that 应用 to them，例如 locking desk drawers 和 rules about allowing guests into the office. 培训还应审查如何报告物理安全风险，例如 someone in the building who isn’t wearing a guest badge or sensitive data that is left exposed.
• 桌面安全: Outline the potential consequences of failing to lock or shut off computers at appropriate times 和 plugging unauthorized devices into workstations.
• 无线网络: Explain the nature of wireless networks 和 outline the risks of connecting to unfamiliar ones.
• 密码安全: Complex password requirements 和 prompting employees to change their passwords on a regular basis should already be enforced, but password security training is still important to explain the risks involved in reusing passwords, 使用容易猜到的密码, 并且没有立即更改默认密码. 授权密码管理工具也可能包括在内
• 恶意软件的培训课程 恶意软件 应该定义恶意软件的类型并解释它们的能力吗. Users can learn how to spot 恶意软件 和 what to do if they suspect their device has been infected.

衡量保安意识培训的成效

Having a process in place to measure training effectiveness is essential. 一种方法是通过小测验. Quizzes should be issued before the training is deployed to get a baseline measurement 和 afterwards to see what has changed. 如果钓鱼演习是定期进行的, organizations should keep track of whether employee response to these drills improves (or worsens!)，但他们必须接受安全意识训练.

虽然这可能不太科学, organizations can also try to determine the impact of training by looking for trends in the number 和 type of security incidents occurring over time as they add more employees 和 assets to their organization over time. It may also be interesting to have an individual walk around the office looking for exposed passwords, 打开电脑, 和 potential physical security risks a few times before 和 after training to determine whether behavior has changed. 

考虑学习者的角度

安全性可能是安全团队的首要任务, 但其他团队也有自己的目标. 组织应该尽最大努力尊重这段时间——理想情况下, training should be customized based on an employee’s role to ensure all of the training content is relevant to the individual 和 the work they do.

This allows employees to focus on what matters 和 get back to work as quickly as possible. 它还确保组织中风险较大的用户, 比如域管理员, 接受合适的培训 漏洞和威胁 和他们的工作更相关.

When reviewing policies 和 best practices with employees, it’s important to always explain 为什么 每一个都很重要. Users will be more likely to abide by policies if they underst和 the full context of them 和 believe it’s the right thing to do. 例如, the risks of installing r和om software from the Internet become much more apparent to someone who sees how quickly a well-disguised piece of ransomware 能加密他们工作站上的所有文件吗.

最后, organizations should avoid calling out individual employees or appear condescending if someone struggles with a training exercise. 而不是, team leaders should focus on creating an environment where everyone is comfortable asking questions 和 reporting incidents.

在训练结束时, users should leave feeling empowered to help protect the organization 和 excited to collaborate with other teams to create a more secure environment. Underst和ing your organization's unique needs 和 culture will be critical to making this training a success.

阅读更多关于SecOps的信息

安全操作:博客的最新消息