Effective Cyber Security Awareness Training for Employees in 2020

Cybersecurity is no longer a technical problem. It’s a people problem. And ensuring that people have the know-how to defend themselves and their organization against threats is a critical component of a robust cybersecurity program.  To do this, we need effective cyber security awareness training.   The main goal is to prevent loss of sensitive data and the pain and cost that follow a cybersecurity breach caused by human error.

Most cyber security awareness training programs are not effective in impacting staff behavior or creating cultural change.   Security awareness training is important, and we cannot give it lip service. We cannot throw a bunch of generic security stuff in a set of slides and check the box on the training requirements for the year.  The real world does not work that way.

We must figure out an awareness program that works in our environment.

Key Elements of Security Awareness Training

It is critical to incorporate the following elements into your Security Awareness Training, whether developed internally or purchased from an outside provider such as ERMProtect:

  • Make messages relevant. Use the words and language from your environment. Consistent taxonomy is key. Make it relevant to the work at hand.  Talk about your own applications, data and systems with which your users are familiar.
  • Use examples. Use real-world examples. And by real-world examples, we mean examples of security threats faced by your own organization, with enough details that employees can recognize it is your organization. Make any examples as practical as you can. Avoid making things abstract to the extent possible.
  • Use common language. Your organization is not full of security geeks, so use language that your everyday user can understand. Eliminate, or at least minimize, the technical and security jargon. Use the type of language your people use in their everyday lives.
  • Present small messages. Human beings have limited attention spans, especially for new or unfamiliar material. Break your cyber awareness training program into manageable chunks – pieces that a user can easily go through in one sitting and best absorb.
  • Use continued reinforcement. You need to reinforce messages through email, internal videos, staff meetings and any other media that works in your environment. Say the message. Repeat the message. Set the expectation that the elements of the awareness program will be updated and repeated on a regular basis.

Other Considerations for Effective Training

Beyond these critical elements, it is important to always keep in mind your primary goal:

Cyber awareness training is about educating and changing employee behavior enough that it increases your staff’s ability to consciously make more secure decisions in your environment.

That is much more easily said than done.  Making the message relevant is key.  You want employees to  know enough that they can help protect what is important to the organization. To spark any form of interest, your content must be engaging. As humans, we are more inclined to remember stories that evoke images. Content that engages our emotions triggers our imagination and motivates us into action.

You also want training to be  repetitive.  This means setting up a curriculum that covers security threats via a regular cadence of current topics and trends.

A good way to get started is to evaluate the company's threat landscape to ensure your curriculum addresses those risks. Before training begins, be sure to establish a benchmark of your staff’s cybersecurity knowledge so you can measure improvement. This assessment can be anything from a company-wide cybersecurity survey to a simulated phishing test. Use the results to roll out a larger program that can be used to target problem areas that are identified by the assessment.

2020 Areas of Concern

In 2020, it is becoming more important than ever to educate and train end users on cybersecurity.  Given what's happening with COVID-19, more and more people are working from home, making it more likely for cyberattacks to succeed.  The trend toward  flexible remote working is probably going to increase dramatically. This poses increased exposure  to security breaches when employees are not properly educated on the risks of remote working.

Companies must focus on educating remote employees of safe working practices. The top 5 areas of concern include:

  • Personal devices – Many companies allow their employees to use their personal devices, which is a great cost-saving method and allows flexible working but poses significant risks. An employee who unwittingly downloads malware applications on personal devices can risk the integrity of the company's network if, for example, log-in details are compromised. Employees also need to be reminded that their devices should remain locked and that any loss of a device must be reported immediately to network providers so that they can stop anyone else from using it.
  • Public Wi-Fi Employees who work on the move may need extra training to understand how to safely use public Wi-Fi services. Fake public Wi-Fi networks, often posing in coffee shops as free Wi-Fi, can leave end users vulnerable to entering information into non-secure public servers. Employees must be educated on the safe use of public Wi-Fi or required to avoid it altogether.  They should also learn common signs to spot a potential Wi-Fi scam.
  • Phishing - Although companies are increasingly aware of phishing, it is still a growing threat in 2020, in part due to lack of awareness on the employee level.  Teaching employees to recognize phishing emails and social engineering attacks is fundamental to any cyber security awareness training program.  It’s also important to stress the impact employee actions may have on the organization. By training your end users to recognize potentially harmful emails and reporting suspicious ones, this threat can be dramatically reduced. The goal is to repeat the message over and over until it resonates with employees.
  • Social Engineering - Social engineering is a common technique malicious actors use to gain the trust of employees, offering valuable lures or using impersonation to gain access to valuable personal information. Employees need to be educated about the most common social engineering techniques and the psychology behind them so they can combat these threats. For example, we all share large parts of our lives on social media from holidays to events and work. But oversharing can lead to sensitive information being available, making it easy for a malicious actor to pose as a trusted source. Increasing employee awareness about impersonation threats can reduce the risk of social engineering.
  • Removable Media - Removable media is the portable storage medium that allows users to copy data to the device and then remove it from the device to another and vice versa. This includes USB sticks, SD cards, CDs – even smartphones. Employees need to know how to use these devices safely and responsibly in your business. They also need to be trained that these devices can be loaded with malware, so they should never plug ones from unknown sources into their devices.

Companies that educate their end users about all of the above dangers can easily reduce the risk of cyber-attacks.

By promoting a culture of awareness in your business through regular security awareness training, you can keep your employees up to date with the information that need to keep their personal and business data secure.

ERMProtect's Weekly Newsletter

Get a curated briefing of the week's biggest cyber news every Friday.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

Intelligence and Insights

How businesses can calculate the cost of PCI DSS compliance

How businesses can calculate the cost of PCI DSS compliance

PCI compliance is a significant endeavor. It requires a substantial amount of time, money, and expertise to complete. To start with, companies must define the cardholder data environment (CDE) – those areas that touch or …
Effective Cyber Security Awareness Training for Employees in 2020

Effective Cyber Security Awareness Training for Employees in 2020

Cybersecurity is no longer a technical problem. It’s a people problem. And ensuring that people have the know-how to defend themselves and their organization against threats is a critical component of a robust cybersecurity program …
SOC 2 - Value Added Proposition

What is the real value of SOC 2 Compliance?

Major companies that outsource aspects of their data information operations can’t risk using vendors who don’t rigorously protect sensitive information. That’s why many organizations now demand that their vendors become SOC 2 compliant, a designation …