Security Awareness Blog

Security Awareness and the New Hire Process

STH-People-PuzzleSteps1FA common problem many organizations face with their security awareness program is the new hire process. They are tasked to train and secure new hires, but often have very limited time and resources to do this (sometimes no more than 15 minutes to 'secure' each new hire during the initial on-boarding). In addition, new hires are bombarded and overwhelmed with everything else they are learning, to include healthcare, how email works, how their new computer works, expenses, etc. We had a great discussion about this challenge in the last MGT433 two-day course , this is what we as a class came up with.

  • Do not try to secure your new hires during the on-boarding process. Its too much information in too little time, and the new hires can't remember it all anyways.
  • Instead of focusing on policies and behaviors, focus on laying a foundation. Make sure new hires understand your organization takes security seriously, the important role they play (technology can't stop everything) and set expectations what they will learn through the security awareness program. Explain what and who the security team is, how the security team will be communicating to them, and what the new hires can expect training wise over the next six months.
  • If your awareness program uses a certain brand, mascot or logo show this to the new hires and explain to them whenever they see this brand, its part of the security program.
  • Finally, make sure they know who and how to contact the security team and where they can learn more.

Ultimately the new hire process is not about securing employees, but building a relationship with them, ensuring they understand the importance of security, and explaining to them what to expect in the coming months.

2 Comments

Posted August 18, 2015 at 6:48 PM | Permalink | Reply

Jay

One things I love about awareness done properly as a counter measure is that it protects against the unknown in addition to the known. Not perfectly, but nothing does.
Since attackers constantly shift tactics, it is self-defeating to over-rely on defenses designed to prevent specific attacks. It's best to have defenses that prevent/correct multiple attacks. Awareness and backups are two of the best.

Posted August 26, 2015 at 1:04 PM | Permalink | Reply

lspitzner

Jay, I could not have said it better, you are spot on sir!