Bolstering Security Education
Many security managers say end-user education is a central part of IT security. More regulations are also requiring that organizations demonstrate that they’re conducting such training.
Increasingly, organizations are looking to automated, Web-based educational solutions. Pemco Insurance, located in Seattle, implemented a solution from the vendor Cosaint several years ago. Pemco wanted a way to bolster employee security education in a manner that would reduce administrative costs, says Marc Menninger, security manager. He also wanted a way to make security education easier and to have access to reports on education to show auditors, he says.
One reason Pemco chose Cosaint was its wealth of information security courses, which range from “mobile device security” and “information retention and destruction” to “avoiding identity theft.”
Most lessons are presented in easy-to-follow PowerPoint presentations, he says. Menninger also says he found Cosaint easy to use and relatively low-priced.
Setting up the solution mainly entailed creating a core Pemco information security module, Menninger says. During the implementation process, which involved taking Cosaint material and tailoring it towards Pemco’s policies and needs, Pemco received considerable assistance from the vendor, he says.
Much of the material was aimed at teaching employees to develop strong passwords and to avoid phishing e-mails, which can contain malicious links or attachments. One goal in creating and editing the new module was to make sure the material would be at a fairly high level, he says. At the same time, he didn’t want the lessons to be too onerous or time-consuming. Pemco didn’t have to install any software or browser plug-ins to use Cosaint, Menninger says.
Menninger e-mails employees to tell them they need to review and electronically sign the security policy module. Menninger can then track who has taken courses; the system automatically sends out reminder e-mails to employees who have yet to take them.
Menninger has been pleasantly surprised in recent years about how many employees have taken advantage of Cosaint’s numerous security courses, most of which Pemco makes optional.
Students can take a quiz after each lesson and then receive a certificate showing how well they scored. Menninger occasionally sees certificates displayed in employee work spaces, he says. Some employees may be particularly interested in security, he says, or may enjoy the challenge of the tests.
Educating users about the dangers of phishing messages may be one of Cosaint’s primary security benefits. Phishing security is heavily emphasized in Pemco’s security policy and in Cosaint’s available material.
Pemco has started using Cosaint for additional professional education in recent years, covering both security and nonsecurity related subjects. In one example, a manager wanted to educate certain staff about IT change-management procedures and policies, Menninger says. Working with Cosaint, Pemco developed an educational module that could be accessed along with other Cosaint lessons. “It worked out well for [the manager].”
The Web-based training system has reduced paperwork and administrative costs, including the need for in-person security training, Menninger says. In addition, automatically generated reports have created a convenient way to demonstrate Pemco’s training to auditors.
Many technological security solutions are far more expensive than what Cosaint offers, Menninger says. He adds that the product’s modest cost, breadth of material, and strong customer service help make it “one of the most economical security systems we have.”