Contents | Previous | 6.3 Instructional Strategies | Next |
The strategy underlying this effort will be to train employees and volunteers on the job, as part of their daily activities. Our audience analysis has highlighted a lack of time for dedicated training. Also, we wish to keep the practice activities as close as possible to the real-life situations, in order to maximize the efficiency of the training.
This training will be similar in principle to a vaccine. We will expose our audience to realistic phishing emails, which will provide immediate feedback about hazardous activities to the learner in case of mishap. Instead of making the organization vulnerable, these training scams will help to build its immunity.
We have identified a number of companies who advertise a service sending innocuous phishing emails for training sake. Horizon may choose to use one of these solutions off-the-shelf, to have one customized to better accommodate the requirements of the projet, or to develop its own training phishing solution, depending on the budget available.
We also recommend a number of efforts beyond this training in order to trigger required changes in specific parts of the organization:
an update of internal policies on how to handle requests for sensitive information or payments received by email. Any such request made by email shall require a confirmation through a different channel, typically by phone.
an update of internal policies with regards to storage and copies of files and databases containing sensitive donor information. Access to personally identifiable information and payment details shall be restricted on a need-to-know basis and treated in the same manner as SECRET or TOP SECRET information in a military context.
These changes shall be reflected in existing training for affected employees.
Based on available research reported by Robert M. Gagné in The Conditions of Learning, we recommend to invite authority figures to share their experience with data breaches and their consequences. For example, an IT specialist from another NGO may be invited to speak about the procedures they put in place after a data breach.
Through these human models, members in the audience are expected to gain a deeper awareness of the issue, and to become more likely to develop a positive attitude towards this effort.
Contents | Previous | 6.3 Instructional Strategies | Next |