Notes from the Field - CIS Control 14 - Security Awareness and Skills Training

Security awareness training is one of the areas in which I see companies doing either very well or they don't do at all. It's unfortunate for the companies that don't do much as a little training goes a very long way. It's an investment that more than pays for itself. The more your employees are trained against potential threats and attacks, the safer your company and customer data. The less trained they are, the more your company is at risk to attack and compromise. In this post I discuss what I see as an information security auditor working with the clients regarding the Center for Internet Security Control 14 - Security Awareness and Skill Training. 

The Arch in Summer, the Arboretum at Penn State

The Center for Internet Security Controls are 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data. The free but valuable document contains high level information that executives can understand and also has specific details about tools and procedures for technical staff to run with. I recommend it to all of my clients for information security guidance. 

The Overview for Control 14 - Security Awareness and Skills Training is - Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Control 14 includes 9 sub-controls or safeguards. They are: 

14.1  Establish and Maintain a Security Awareness Program

14.2  Train Workforce Members to Recognize Social Engineering Attacks

14.3  Train Workforce Members on Authentication Best Practices

14.4  Train Workforce on Data Handling Best Practices

14.5  Train Workforce Members on Causes of Unintentional Data Exposure

14.6  Train Workforce Members on Recognizing and Reporting Security Incidents

14.7  Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates

14.8  Train Workforce on Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks  

14.9  Conduct Role-Specific Awareness and Skills Training. 

Why is this control critical? This control addresses the human security vulnerability, perhaps the biggest vulnerability of all. All of the technical, administrative, and physical controls in the world can easily be undermined if your employees allow unauthorized people into facilities, click on links in phishing emails, open malicious attachments or visit fraudulent websites and enter their company user credentials. Such actions could allow an attacker to gain a foothold in your environment to install ransomware or exfiltrate company and customer data. Security awareness training will provide protections against such threats. Let's take a look at some of the safeguards and how companies accomplish them.    

Safeguard 14.1 - Establishing and Maintaining a Security Awareness Program can be done by signing up your organization with an online training platform or using an existing service that your Human Resources Information System SaaS platform offers. As part of an employee's onboarding processes, new employees should be required to take the awareness training within their first week of employment to make sure the training is successfully completed. Additional, shorter training modules and phishing tests are recommended to be completed each month to continuously strengthen the information security awareness muscle. Annual refresher training should also be required for all employees. The paid services offer reporting to show who has successfully completed the training. Human Resources staff follow up with individuals who do not complete the training as they do with other types of required training.   

Companies such as KnowBe4 and Proofpoint, are two popular services, among the many training tools available. Some companies choose to develop their own internal information security awareness training. It's usually made up of a PowerPoint presentation put together by IT and IT security staff, who go over the materials with company employees. Both types of training cover the basics, such as sharing their account passwords, using multi-factor authentication when possible, not clicking on attachments or links from unfamiliar senders, not submitting credentials or financial information to bogus websites, not falling victim to social engineering attacks, and so on. Quizzes are often used to test the knowledge of participants. 

Safeguard 14.5 - Train Workforce Members on Causes of Unintentional Data Exposure is critical to protect company and customer data, as well as protect companies from the legal and financial liability as a result of such exposures. Well trained employees are taught not to share sensitive data with people who do not have a need or right to see it. They are also taught how to properly share information with those who do have a need or right to the data. The data leaks my clients have experienced are often due to lack of knowledge. Scenarios include an employee accidentally sending a patient or client the data of a different patient or client. For healthcare companies subject to HIPAA requirements, such a mistake can result in expensive fines. There have also been cases where companies I've worked with have processes in place to share with partners customer data after the data has been anonymized to protect the identities of customers. On occasion the automated anonymization process fails but the data is still shared as the companies don't have proper verification processes in place. There are many other methods where data is unintentionally exposed. In all cases, proper training is needed as a baseline to protect the data and the company. 

Safeguard 14.6 - Train Workforce Members on Recognizing and Reporting Security Incidents is supremely important because people who are trained properly, know what to do. They report an incident to the people who can take appropriate action and contain the incident. People who are not trained, often are afraid to report an incident as they think they may get in trouble for having done something wrong. As a result of doing nothing, a containable incident is not contained and causes a lot of damage. 

Safeguard 14.9 - Conduct Role-Specific Awareness and Skills Training is often overlooked even in companies that have basic security awareness training. It's important that software developers receive annual training on secure coding practices. This helps them to stay up to date on the latest code vulnerabilities and practices to avoid them. IT and IT security staff should also receive annual training for responding to incidents and for protecting the technologies they support. Staff in other areas, such as senior executives and finance should receive more advanced training to prevent them from succumbing to bogus text messages and phishing emails, especially those regarding wiring money to the fraudulent recipients.  

Whether you choose an online training platform or offer in-house training, your organization must provide company employees with security awareness training. It is the most effective method for protecting company and customer data. The Center for Internet Security Controls can help. 

In the next post I'll discuss, Center for Internet Security Control 15 - Service Provider Management.