Cybersecurity training and awareness programs need not break the budget. This article lists free resources that are readily accessible and can help you find ideas, content, and contacts to assist in your efforts.
Of course, as I said last year, such programs "will not guarantee complete cyber safety for companies, but they can go a long way towards making workers more cyber-aware" (see: Cybersecurity training still neglected by many employers). When combined with good policies and controls, security education definitely improves an organization's resistance to attack.
Over the past 12 months I think I have seen an increase in the number of hands raised when I ask audiences: "Has your employer provided you with any training and education around cybersecurity?" If this is a real trend, not just an anecdotal result of my informal research, then I am encouraged. But to be clear, I am not claiming any personal credit for such a trend – there are many dedicated infosec professionals doing far more than I to advance the worthy cause of security training and awareness.
I was fortunate to meet some of these folks last week at an event called Security Professionals Conference 2019 presented by EDUCAUSE, the nonprofit association that helps higher education "elevate the impact of IT." I was honored to serve on a panel consisting of myself, Robert Jorgensen, Cybersecurity Program Director and Assistant Professor at Utah Valley University, and Kelvin Coleman, Executive Director of the National Cyber Security Alliance. The panel was titled "Cybersecurity Woke: Effecting Positive Change Through Outreach and Education" and it was skillfully moderated by Bob Turner, the CISO of the Univeristy of Wisconsin-Madison.
At the end of the session I promised the audience that I would share – here on WeLiveSecurity – links to the awareness and training resources that I had curated, so that anyone who is interested can easily find them. I hope at least some of these prove to be helpful. If you know of others, please consider adding them in the Discussion section below.
Resources: government and non-profit
- A great place to start is the National Cyber Security Alliance or NCSA. This is the US non-profit behind a number of key initiatives over the last ten years, including National Cybersecurity Awareness month and the Stay Safe Online campaigns. You can find a host of resources on their website.
- The Office of the Director of National Intelligence is part of the US federal government that values all forms of security awareness and offers several public domain resources under the program called: Know the Risk Raise Your Shield. This interactive page is one place to start. That is the first in a three part course described here. There are also posters and some pretty funny videos.
- The Department of Health and Human Services has an interesting 60-page interactive PDF available online for cybersecurity training. While it has a departmental focus on Personally Identifiable Information (PII), Protected Health Information (PHI), and Personal Identity Verification (PIV) cards, it is still helpful, and particularly so if your organization has a medical component (e.g. medical school or healthcare clients).
- The Center for Cyber Safety and Education is run by (ISC)2, one of the leading cybersecurity non-profits, about which there is more info below.
Resources: outside of government but still free
- The Infosec Institute is one of a number of for-profit organizations that offer both paid and free awareness materials, the latter obviously being a great way to introduce people to the organization's capabilities. Despite a slightly strange name, this "Marine Lowlifes Campaign Kit" is well worth exploring.
- SecureWorld puts on security events and provides a portal for curated vendor materials, such as this webinar on phishing, produced by Proofpoint. Another useful webinar is this one Business Email Compromise from KnowBe4. (And yes, according to REN-ISAC, criminals are targeting higher education institutions with BEC.)
- ESET offers a free cybertraining course that I have written about here, and talked about here. You can access it here. (Like the other resources in this section, registration is required, but participants can download a certificate of completion, which helps managers track who has taken the training.)
Resources: community of support
A few years ago I joined something called Peerlyst, which describes itself as a "place where security experts share their knowledge, learn from each other, and build their reputation." Although it is not a non-profit, a lot of free resources have been posted in its wiki-style website. Here are some that I think may be useful in the current context:
A project to crowdsource a security awareness training checklist
The 9 Security Awareness Training Topics Your Employees Need for 2019! – Emma Woods
The 6 things MSP's Need To Look Out For When Investing in Security Awareness Training – Emma Woods
A list of open source, free and paid phishing campaign toolkits
Free 15 minutes training video: Threat Landscape - IoT, Cloud, and Mobile
Resources: the power of associations
There are quite a few security-related associations that you may be able to tap for help with your security training and awareness program. Looking for an expert to come speak to your employees or students? Want to connect with other people working on cybersecurity? in your sector? in your area? One of the following might have what you're looking for.
ISACs: these are the Information Sharing and Analysis Centers, non-profits that "provide a central resource for gathering information on cyber threats to critical infrastructure and providing two-way sharing of information between the private and public sector." There is probably one for your part of the economy. For example, if you are in education, then REN-ISAC is the one you need to know about. This page at the National Council of ISACS will lead you to them all.
Infragard: this is the public-private partnership spearheaded by the FBI and now accessible via 82 chapters around the country. Joining requires vetting, but the benefits are well worth the effort. You can apply here.
ISSA: this is the Information Systems Security Association and it offers you "a network of 10,000 colleagues worldwide to support you in managing technology risk." There are many chapters around the world.
ISACA: previously known as the Information Systems Audit and Compliance Association, it serves 140,000 professionals in 180 countries, so there is probably a chapter near you.
(ISC)2: you probably know the International Information System Security Certification Consortium (ISC squared, get it?), from its well-known CISSP qualification, but this educational non-profit membership organization does a lot more than that. Check out the website.
CompTIA: while security is not the sole focus of this non-profit computer trade industry association and certification body, it can be a great source of information about cybersecurity. Consider connecting with the IT Security Community.