Security Awareness Training

What is Security Awareness Training?

Security Awareness Training (SAT) is a formal process for educating employees about ever-evolving  cyber threats and their role in protecting their organizations.  Security Awareness Training arms employees with tools and training that helps them avoid cyberattacks aimed at computer users.

Employees learn the many and varied ways in which criminals will deliberately try to trick them into exposing an organization’s sensitive information, for example, through phishing emails. They become  aware that  everyone in the organization (not just IT security) needs to understand the risks and defensive strategies to help prevent data breaches.

Cyber Security Awareness Training also ensures employees are fully aware of the business consequences of failing to protect the organization from attackers. Such consequences span from criminal penalties to economic damage to the company.

Why is Security Awareness Training important?

With cyberattacks increasing exponentially each year, it is critical that companies engrain a cyber-aware culture throughout their organizations. People, not technology, are key to providing an adequate level of security. That’s because hackers know that employees are the weakest link in information security and actively work to exploit them through phishing attacks and other means.

A robust and enterprise-wide awareness and training program will ensure employees understand their IT security responsibilities, organizational policies, and proper use of the IT resources entrusted to them.

What are the benefits of Cyber Security Awareness Training?

Reduced Chance of Data Breach

Information is one of the most critical assets of any company. Hacktivists and cyber-criminals scour the Web in search of targets and vulnerabilities. Studies have shown that reducing vulnerabilities caused by human behavior significantly reduces the chances of a damaging breach.

Extra Layer of Defense

Some security incidents cannot be prevented or detected by technology. A simple example is social engineering. The art of manipulating people does not require the use of technology and may be applied over a telephone call to steal information (e.g. confidential data, passwords) or even on site by gaining physical access to restricted areas. Unfortunately, there are little to zero technical controls that can be used to avoid this sort of attack, so the only feasible option is to have your users aware of the threats and how to deal with them.

Incident Response Experience

Periodic security awareness training helps develop essential competencies and new techniques that are essential to protect against evolving security issues. An investment in Security Awareness Training helps protect corporate resources against new and emerging threats and also provides some level of maturity for incident response should a data breach occur. By adopting a Security Awareness Training Program, a company greatly increases its security-related risk posture.

Employees become cyber aware

When an enterprise's employees are cyber security aware it means they understand what cyber threats are, the potential impact a cyber-attack would have on the business, and the steps required to reduce risk and prevent cyber-crime from infiltrating their online workspace.

How did the COVID-19 pandemic reinforce the need for Security Awareness Training?

The COVID-19 pandemic in 2020 showed just how far cyber criminals will go to trick employees into giving them access to an organization’s confidential data. Amid the global pandemic, cybercriminals sent out scores of phishing emails with sensational subject lines aimed at getting victims to click before they think.

These included phony emails  from leading U.S. and global health organizations purporting to give critical COVID-19 guidance, embedded code in phony websites offering medical help and attempts to steal COVID-10 research. The FBI reported that complaints about Internet crime more than tripled.

In such a scenario, organizations must remain especially vigilant. They need to inform employees about the nature of these attacks, remind them of security policies and best practices and reinforce Cyber Security Awareness Training.

What are critical elements of effective Security Awareness Training?

The main goal of Security Awareness Training is to prevent loss of sensitive data and the costs that follow a cybersecurity breach. Effective online cybersecurity awareness programs should:

  • Be Compliant with Laws and Regulations
    Drafters of a security awareness program need to be familiar with the latest security training requirements applicable to their business.
  • Be Sponsored by Senior Management
    Even when security awareness is mandatory by law, it remains a core responsibility of top technology leaders who are accountable for its effectiveness. C-level executives need to be actively involved in reinforcing the importance of cyber security best practices. When senior leaders are engaged in awareness and training events and are familiar with the organization’s information security policies, that sends a positive message to everybody else.
  • Provide a tailored message effective for different types of learners
    Sometimes an organization should adopt a department-specific approach. In most situations, a mixture of baseline best practices and department-specific codes of conduct works best.
  • Provide for phishing and social engineering campaigns
    Internal phishing and social engineering exercises are good tools to test staff robustness against cybersecurity fraud and manipulation.
  • Be engaging and entertaining
    While it is a serious topic, training should spike interest and enthusiasm in employees. Good security awareness training uses storytelling techniques and scenarios that your users will face in their daily work lives. Animations, games and videos keep users tuned in, engaged and excited. All training should be brief but memorable.
  • Diversify Content and Methods
    Security awareness programs need to be as comprehensive as possible. There is no “one size fits all” security awareness program, and therefore employees should receive information through various awareness avenues: phishing simulations, newsfeeds, newsletters, blogs, games, etc.
  • Be Reinforced
    Most employees do not come across security risks daily, so they need a reminder of looming security threats from time to time. Competitive games and quizzes can test to reinforce lessons and ensure retention.
  • Be Monitored
    Metrics must be in place to identify whether learning objectives are met or not, and whether the managerial staff needs to make any adjustments to the program.

What Are Different Ways to Communicate Security Awareness?

Companies should employ a blended solution of activities that promote security, establish accountability, and inform the organization of security news and updates. A Security Awareness Program should strive to continually push the Information Security message throughout the organization. Some methods include:

  • Online Security Awareness Training
    All employees must complete mandatory online training on a regular basis and show progress over time. Many vendors provide large libraries of Security Awareness Training in multiple formats. Please check out our Security Awareness Training product here.
  • In-person presentations, training sessions, or workshops
    Members of the information security team should present on select topics periodically. Recommended for a minimum of 30 minutes each quarter.
  • Emails, newsletters, or blogs
    An email campaign in the form of one-page security bulletins, along with a security awareness blog. The recommendation is that this be updated every month.
  • Print materials such as pictures or posters
    Security awareness content displayed at eye level in areas where people gather (e.g. kitchen, entrances, exits). This should be updated every month, preferably, or every quarter at a minimum.
  • Formal or informal briefings
    Periodically, the Information Security Team should provide short briefings about recent attacks, new vulnerabilities, and/or recent security trends.
  • New employee onboard package
    Security training must be integrated into new employee/contractor/intern onboard package. Human Resources should ensure that a new hire completes the required training.
  • Intranet communication
    Articles that advance the Security Awareness Program's goals and objectives should be distributed to appropriate personnel.
  • Computer banners or screensavers
    Screensaver or banner messages should be employed to reinforce security awareness training messages. The Information Security Team should be responsible for periodically updating screensavers and banners.

How do I know if Security Awareness Training is working?

The first thing an organization should measure is its baseline. Simply put how good or bad is the organizations cybersecurity awareness before it started Security Awareness Training.  Organizations must perform simulated social engineering attacks on its employees, solicit employee feedback, review incidents/events logs, and draw the picture of its baseline exactly as it is.

This serves as the denominator. This is what the organization is going to measure against a year from now to see how far it has come. Make sure that the baseline includes:

  1. Results of simulated phishing assessments and social engineering assessments.
  2. Documented employee surveys and opinions on what they think about the existing security awareness training (if any) and, most importantly, how engaged they feel with it. Make sure you include employees from across the organization and from diverse departments.
  3. Number and types of key security incidents over the past year. This should include phishing incidents, lost or stolen devices, malware incidents arising from employee behavior, and pretty much any incident that can be directly attributed to human error or oversight.

To know if Security Awareness Training is working for you:

  • The percentage of employees who are fooled by simulated phishing and social engineering attacks needs to go down from the baseline
  • Employee opinions on what they think and feel about Security Awareness Training should go up from the baseline
  • The number of key security incidents should go down from the baseline
  • As the program continues over time, there should be a measurable decline in poor responses in test exercises and fewer violations of cyber security policies 

How can I make the case to my boss for Security Awareness Training?

Focus on piercing many myths that exist about online security training:

Myth

Fact

We’re safe. We have world-class technical defenses.
One in four data breaches is caused by human error. No technical defense can fix that.
Once a year training is enough
Only repeated training and testing will change risky online behaviors and harden resistance to social engineering attacks.
Training programs lack the high-quality, up-to-date metrics we need to manage the business successfully.
Baseline metrics allow the organization to gauge improvement after each round of training and testing.
We won’t be able to measure ROI
ROI can be demonstrated in many ways, such as calculating the number of incidents avoided and dollars saved (average cost per record breached is about $225).
Security Awareness Training is costly
Training can cost as low as $2 per user per month, less than a cup of coffee.

How do I hire a good Security Awareness Training vendor?

Pick a vendor who understands that cyber security awareness needs to become a way of thinking. In the same way that employees think carefully before crossing the street, they need to think before they take actions online that could compromise the organization. Remember – that’s what you’re investing in.

A good online training vendor will have:

  • A robust library of content with modules that are brief and focused on a single topic.
  • Content that is engaging, entertaining, interactive and, of course, up to date with the latest threats.
  • Diverse content for different kinds of learners, including animations, simulations and even games.
  • A product that includes a mechanism to provide immediate feedback. For example, by providing game or quiz scores.

Watch our training video on phishing

 

Is Security Awareness Training a requirement?

In some cases, several laws and regulations require that a formal information security awareness program be in place, for example:

Federal Information Security Management Act (FISMA): FISMA, 4 U.S.C. § 3544, requires “security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency,” including making sure users understand information security risks associated with their activities, their responsibilities in complying with agency policies, and procedures designed to reduce these risks.

Health Insurance Portability and Accountability Act (HIPAA): Among its training requirements, HIPAA Security Rule 45 CFR § 164.308(a)(5) defines as a standard to “implement a security awareness and training program for all members of its workforce (including management),” meaning that each new workforce member must receive security awareness training within a reasonable period of time after hiring, including periodic security updates, protection from malicious software, and password management.

Gramm–Leach–Bliley Act (GLBA): Also known as the Financial Services Modernization Act of 1999, includes three areas that are particularly key to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures. Companies must make employees aware of the necessary steps to maintain the security, confidentiality, and integrity of customer information, including basic physical security of records, password protection, encryption and the reporting of suspicious activities.

Payment Card Industry Data Security Standard (PCI-DSS): This is a standard, not a law, that imposes compliance requirements on organizations that handle branded credit cards. There are 12 requirements and scores of sub-requirements. Requirement 12.6 requires the implementation of a formal security awareness program to educate all employees about the importance of cardholder data security.

Did you find this helpful?

See our resources on other key cybersecurity topics