Just as new employee training is an ongoing process, so is security testing and training for all members of your organization and your systems. It seems new threats are being discovered every day, so it’s important for your team to know what these threats look like and how to react, as well as to plan routine scanning for loopholes or weaknesses throughout your networks. That’s why testing and training your people, and testing your systems, should never stop. But how often should all of this take place? And what does a good training program look like? Take a look at some of our recommendations
Where to Begin
Testing should begin before training takes place, often without your team even knowing they are being tested. For new employees, it may be helpful to conduct initial security testing during the onboarding process so you can determine his or her risk profile and make sure they receive proper training from the start.
How Often You Should Test
An individual’s risk profile is the primary factor that will determine how often a team member should be tested. The more a team member fails, the harder and more often he or she will be tested. Monthly testing is a general baseline, and the frequency of a team member’s individual testing can be adjusted depending on the need. Other factors that can impact how often you test your team include the types of testing you need to conduct and if your industry has specific laws or regulations in place for types or frequency of testing.
Individual or Group Training?
We recommend group training for your team for several reasons. Often, team members benefit from learning in a group setting because others will ask the questions one person may want to ask but doesn’t because they feel intimidated to speak up. Also, others may ask questions an individual may not think of or know to ask. Group settings also generate great conversations about individual experiences that the entire team can learn from. It also helps each team member see that they aren’t alone when it comes to dealing with the complicated, more technical aspects of a job that isn’t always a part of their day-to-day duties.
What a Good Testing and Training Program Should Include
Equipping your team to help keep your organization secure means having a strong testing and training program in place. But what should be included? Again, it will definitely depend on your organization’s needs, but a few recommendations we typically make include:
Phishing attacks are common and often difficult to prevent, but as Forbes notes, “they do follow patterns and can be detected with the right education.” Phishing tests should be conducted through an automated service that sends emails out twice a month. The emails should be sent at different times using different form emails.
Phishing training should be scheduled as needed based on the results of the tests. Only users that click the phishing email should take the training, which is 15 to 25 minutes and video-based.
Penetration tests are conducted to check your computer system for vulnerabilities through a simulated cyber attack, often by attempted breaches of APIs and servers. The purpose of penetration testing is not only to spot and mend any detected vulnerabilities before a would-be hacker does, but also to give you a good look at how your current security system would stand up in a real-life scenario and improve web application firewall security and other policies. Penetration tests should be conducted by an independent, outside organization that is highly experienced in this type of testing. Our general recommendation is to test on a quarterly or annual basis, but this may vary for some businesses depending on size, industry laws and regulations, and other factors.
Vulnerability testing, sometimes referred to as vulnerability assessments or analysis, inspects your internal and external networks to identify and classify security issues within the infrastructure, such as missing patches from vendors, security bugs, the system’s level of safety for the data, and more. Like penetration tests, vulnerability tests should be conducted by a qualified independent organization either quarterly or annually.
Each member of your team plays a vital role in keeping your organization secure and safe from outside threats, so taking the time to invest in creating continual testing and training program is a must. If you need help making sure your testing and training program covers all your needs or if you need help creating a program, please contact us using the form below. We would love to assist you.