Many security managers say end-user education is a central part of IT security. More regulations are also requiring that organizations demonstrate that they’re conducting such training.
Increasingly, organizations are looking to automated, Web-based educational solutions. Pemco Insurance, located in Seattle, implemented a solution from the vendor Cosaint several years ago. Pemco wanted a way to bolster employee security education in a manner that would reduce administrative costs, says Marc Menninger, security manager. He also wanted a way to make security education easier and to have access to reports on education to show auditors, he says.
One reason Pemco chose Cosaint was its wealth of information security courses, which range from “mobile device security” and “information retention and destruction” to “avoiding identity theft.”
Most lessons are presented in easy-to-follow PowerPoint presentations, he says. Menninger also says he found Cosaint easy to use and relatively low-priced.
Setting up the solution mainly entailed creating a core Pemco information security module, Menninger says. During the implementation process, which involved taking Cosaint material and tailoring it towards Pemco’s policies and needs, Pemco received considerable assistance from the vendor, he says.
Much of the material was aimed at teaching employees to develop strong passwords and to avoid phishing e-mails, which can contain malicious links or attachments. One goal in creating and editing the new module was to make sure the material would be at a fairly high level, he says. At the same time, he didn’t want the lessons to be too onerous or time-consuming. Pemco didn’t have to install any software or browser plug-ins to use Cosaint, Menninger says.
(To continue reading "Bolstering Security Education," from the September 2011 issue of Security Management, please click here)