An effective security awareness campaign doesn't make security experts out of company employees. It just makes them know who to call in case something happens.
That was the message from Dow Williamson, executive director of SCIPP International, which provides security awareness training and certification programs for organizations worldwide. Williamson spoke Tuesday on a panel with Kris Rowley, CISO of the state of Vermont, at the second annual SC World Congress in New York.
Williamson emphasized the importance of end-user training, saying that most breaches occur due to employee error.
"Most people will agree that the vast majority [of incidents] aren't [caused] by the defeating of technology measures," he said.
The goal, Williamson said, is to get organizations to the point where their employees are not trained experts but smart enough to recognize when something is amiss. Then, they should know how to react, which likely means alerting the IT department.
Rowley said organizations must remain committed to their awareness program. Her office leverages elementary schools across the state to create posters emphasizing end-user awareness.
In addition, Vermont workers participate in a training session every other month, when they learn about a new topic – for example, phishing and creating complex passwords.
"You have to tell them all the reasons why [they shouldn't do something]," Rowley said.
She also stressed the importance of enforcing written policy. Employees must realize that violating these rules will result in consequences.
"Otherwise, it's just a Word document sitting out on the internet," she said.
SCIPP International announced in August that its end-user awareness certificate program entered the American National Standards Institute (ANSI) Certificate Accreditation Program, which attests that a company's training program meets a consensus benchmark, Williamson said.
That means, for the first time, organizations that educate their end-users now can also use that fact as evidence to regulators that they are demonstrating compliance, Williamson said.