You read about new threats every day. New malware are being discovered, new exploits are being developed and your security is constantly under attack. Sometimes it does seem futile, but there is one key factor to consider if you are going to stay safe or not. That key factor is your users as they can be your best friend or your worst enemy from a security perspective.
As attacks become more and more advanced, your technical security solutions will not be able to keep up. Hackers are almost every time at least once and probably a few steps ahead of you, no matter how hard you try to stay current. So, by showing your users how to stay safe, you can probably shift the outcome of the battle a bit. This is because a lot of the attacks today involve user interaction, they need the user to do something. Whether it is clicking a link or plugging in a USB stick they found in the parking lot, their action might make all the difference. If your users see a stranger lurking around, do they care or not? Do they care if a person tailgates? Do they know not to assume that all emails come with good intentions? Do they pick up that USB stick and plug it in or not? Do they act without thinking because they trust all that security technology that you as the security administrator has implemented? If they do, then you have missed something, that being to train your users to remain vigilant.
It does not really matter what kind of company or organization you work for, security awareness training is important. The only problem is that most security awareness training I have witnessed is plain stupid and misleading, even trying to strike a bit of fear into users if they do something wrong. The last bit really annoyed me, as you need your users to trust you, not fear you. It is OK do do something wrong, but I want them to come forward with it. Then you have a chance to correct it, otherwise you are in the dark.
Security awareness training is something that I think should be taught live, not using elearning where users simply read a slide and answer a question, then another slide and another question. It does not provide the kind of feedback as a live meeting with an ongoing discussion can provide. Also, when listening to and interacting with a person one can really see users reactions to different statements and discussed topics. Provide examples and perhaps demonstrate a hacking tool or two just to let them see how it is done in the real world. In my opinion, nothing beats a live show, and I think we can all agree that security awareness is very much needed, so why not aim to make security awareness training an awesome event. I know I intend do.