January and February are traditionally busy hiring months in offices across the U.S. Not a lot of open positions are filled during the hectic weeks between Thanksgiving and year’s end. And January 1 is often (but not always) the beginning of a new fiscal year. Many hiring managers have fresh budgets and goals in hand and have empty seats to fill in a hurry. And hiring means new hire training.
The right training has the potential to make new hires more productive and loyal, as well as to retain information better. Working with human resources to integrate a high quality security training program with other necessary training is critical to having a security-aware workforce.
Onboarding Day: Here Comes the Firehose
We’ve all been there before. The first day in a new job is overwhelming. It’s all about learning new names, understanding job functions, figuring out the commute, doing HR paperwork, and taking that unflattering badge photo. It’s a day of drinking from the figurative firehose.
How do you fit security training in to such a busy time and remain effective? The information security team will likely be offered a brief window, maybe 10 or 15 minutes, to say what you want to say. And you’ll be competing with more pressing information like where to park and when paychecks post.
The goals of your 15-minute window on onboarding day should be simple: to show that information security has an important presence in your organization and to start a meaningful relationship with each new employee.
Starting the Relationship
Think of onboarding day as the start of infosec’s relationship with a new employee. They won’t be 100% secured but they’ll know that you exist and that the company takes your role seriously.
First, explain the culture of security within your organization. If your infosec team has a mission statement, share it. Or share how your team works to fulfill the mission and vision of the company. Convey that the business is invested in security and expects its employees to be invested too.
Next, provide any day one critical information about security. Perhaps you have some high level compliance requirements that must be adhered to? Or a critical document that needs to be reviewed and signed. Get that message across simply and succinctly.
Then lay out the security training plan for the next several weeks or months. But provide a way to access security resources immediately. You may have an intranet site with security guidelines. Or there could be a dedicated member of your team who is a personal resource to new hires. Be sure to convey that training will come, and answers are available now!
End your time slot by sharing any branding for your infosec team. Do you have a mascot or slogan? Something to giveaway like a pen or laptop camera cover? Help new hires remember you and see you as an integral component of the company.
We’ve established that thorough training can’t happen on day one. So you need a training plan for the first days, weeks, and months of a new hire’s employment. You’ll likely need to work with HR and hiring managers to integrate your learning objectives and delivery methods with theirs.
Whether you deliver training in person, through self-paced online courses, or through some other means, here are the core topics you must cover.
Explain guidelines around how passwords work at your company. What are the minimum requirements? Does one password work for all systems, like email, intranet, and VPN? How often are employees required to update passwords? Is there any system that requires multi-factor authentication? If so, will the employee need to download any apps on peripheral devices to enable authentication?
New hires will be arriving with their own devices. Some will be eager to add their company email and apps like Microsoft Teams, Zoom, Slack, Paycom, and more to their phone or tablet. Have a clear policy about what is and is not allowed or expected when it comes to company data on private devices. Be clear about your policies for securing the device with a passcode or biometric authentication.
Removable Media Policy
Set the expectation that removable media is not to be connected to company devices unless it has been issued by the company. It happens more than you may realize: a malware-loaded thumb drive is dropped in the parking lot and connected to a device by a curious and unsuspecting employee. Teach employees to recognize the potential threats posed by found or suspicious media.
Even with the best information security team and hardware that money can buy, employees are still a weak link in the security chain. Teach (and re-teach…and remind) new hires how to recognize malware, phishing, and hoaxes. Provide examples of any threats that are particular to your industry. Give them a clear path for reporting anything that they perceive as suspicious.
Data Protection Policy
New hires have no idea how you want company data handled. Should everything be saved locally on their company-issued device? How do local backups work? Are services like DropBox ok to use? What about Google Drive?
Let them know if there are certain data types that are more heavily protected than others. Perhaps you use an encryption service for RFPs or contracts. If so, schedule training specific to these software applications for each new hire.
New hires are a little bit lost when they first step into your office. They don’t know who belongs and who doesn’t. They haven’t established habits when it comes to their devices. And they fumble around with their new keycard or the biometric scanning device that lets them in the door.
Work with your new hires on best practices for entering and exiting the building. Familiarize them with vendors and staff who are approved to be on site. Empower them to send unfamiliar faces through the receptionist (i.e., don’t hold the door for a stranger to follow you in).
Set a policy regarding unattended devices. Even with good keycard practices, someone who’s not supposed to be there could be wandering the office, looking for an open device or a phone to pocket and scan later for company data.
Create a clean desk policy. Passwords should not be on sticky notes! Visitors and vendors can pick up sensitive information when notepads are left open and critical paperwork is lying around. Teach everyone to clear the desk when they’re not sitting and use the shredder as needed.
Social Networking Policy
It’s likely that all of your employees are engaging with social media on some level. Set expectations with everyone about what company-related information is prohibited in posts or profiles of employees.
For new employees who will use social media accounts to market your company, set clear expectations around security best practices. Certain business information might sound great in a blog or social post, but it might be useful to hackers too.
Patch Your People
Even after new hire training is done, you will continually have to “patch” your employees’ knowledge gaps. As you make your new hire training plan, consider what training needs to be refreshed among your current staff. Make this the year of the secure workforce!
What does your new hire training plan look like? Do you need help developing or delivering meaningful training to your new hires or existing staff? Asylas would love to work with you to fulfill these needs. Contact us at firstname.lastname@example.org or 615-622-4591.