Security Awareness Training
What is Security Awareness Training?
Security Awareness Training (SAT) is a formal process for educating employees about ever-evolving cyber threats and their role in protecting their organizations. Security Awareness Training arms employees with tools and training that helps them avoid cyberattacks aimed at computer users.
Employees learn the many and varied ways in which criminals will deliberately try to trick them into exposing an organization’s sensitive information, for example, through phishing emails. They become aware that everyone in the organization (not just IT security) needs to understand the risks and defensive strategies to help prevent data breaches.
Cyber Security Awareness Training also ensures employees are fully aware of the business consequences of failing to protect the organization from attackers. Such consequences span from criminal penalties to economic damage to the company.
Why is Security Awareness Training important?
With cyberattacks increasing exponentially each year, it is critical that companies engrain a cyber-aware culture throughout their organizations. People, not technology, are key to providing an adequate level of security. That’s because hackers know that employees are the weakest link in information security and actively work to exploit them through phishing attacks and other means.
A robust and enterprise-wide awareness and training program will ensure employees understand their IT security responsibilities, organizational policies, and proper use of the IT resources entrusted to them.
Table of Contents
What are the benefits of Cyber Security Awareness Training?
Reduced Chance of Data Breach
Extra Layer of Defense
Incident Response Experience
Employees become cyber aware
How did the COVID-19 pandemic reinforce the need for Security Awareness Training?
The COVID-19 pandemic in 2020 showed just how far cyber criminals will go to trick employees into giving them access to an organization’s confidential data. Amid the global pandemic, cybercriminals sent out scores of phishing emails with sensational subject lines aimed at getting victims to click before they think.
These included phony emails from leading U.S. and global health organizations purporting to give critical COVID-19 guidance, embedded code in phony websites offering medical help and attempts to steal COVID-10 research. The FBI reported that complaints about Internet crime more than tripled.
In such a scenario, organizations must remain especially vigilant. They need to inform employees about the nature of these attacks, remind them of security policies and best practices and reinforce Cyber Security Awareness Training.
What are critical elements of effective Security Awareness Training?
The main goal of Security Awareness Training is to prevent loss of sensitive data and the costs that follow a cybersecurity breach. Effective online cybersecurity awareness programs should:
- Be Compliant with Laws and Regulations
Drafters of a security awareness program need to be familiar with the latest security training requirements applicable to their business.
- Be Sponsored by Senior Management
Even when security awareness is mandatory by law, it remains a core responsibility of top technology leaders who are accountable for its effectiveness. C-level executives need to be actively involved in reinforcing the importance of cyber security best practices. When senior leaders are engaged in awareness and training events and are familiar with the organization’s information security policies, that sends a positive message to everybody else.
- Provide a tailored message effective for different types of learners
Sometimes an organization should adopt a department-specific approach. In most situations, a mixture of baseline best practices and department-specific codes of conduct works best.
- Provide for phishing and social engineering campaigns
Internal phishing and social engineering exercises are good tools to test staff robustness against cybersecurity fraud and manipulation.
- Be engaging and entertaining
While it is a serious topic, training should spike interest and enthusiasm in employees. Good security awareness training uses storytelling techniques and scenarios that your users will face in their daily work lives. Animations, games and videos keep users tuned in, engaged and excited. All training should be brief but memorable.
- Diversify Content and Methods
Security awareness programs need to be as comprehensive as possible. There is no “one size fits all” security awareness program, and therefore employees should receive information through various awareness avenues: phishing simulations, newsfeeds, newsletters, blogs, games, etc.
- Be Reinforced
Most employees do not come across security risks daily, so they need a reminder of looming security threats from time to time. Competitive games and quizzes can test to reinforce lessons and ensure retention.
- Be Monitored
Metrics must be in place to identify whether learning objectives are met or not, and whether the managerial staff needs to make any adjustments to the program.
What Are Different Ways to Communicate Security Awareness?
Companies should employ a blended solution of activities that promote security, establish accountability, and inform the organization of security news and updates. A Security Awareness Program should strive to continually push the Information Security message throughout the organization. Some methods include:
- Online Security Awareness Training
All employees must complete mandatory online training on a regular basis and show progress over time. Many vendors provide large libraries of Security Awareness Training in multiple formats. Please check out our Security Awareness Training product here.
- In-person presentations, training sessions, or workshops
Members of the information security team should present on select topics periodically. Recommended for a minimum of 30 minutes each quarter.
- Emails, newsletters, or blogs
An email campaign in the form of one-page security bulletins, along with a security awareness blog. The recommendation is that this be updated every month.
- Print materials such as pictures or posters
Security awareness content displayed at eye level in areas where people gather (e.g. kitchen, entrances, exits). This should be updated every month, preferably, or every quarter at a minimum.
- Formal or informal briefings
Periodically, the Information Security Team should provide short briefings about recent attacks, new vulnerabilities, and/or recent security trends.
- New employee onboard package
Security training must be integrated into new employee/contractor/intern onboard package. Human Resources should ensure that a new hire completes the required training.
- Intranet communication
Articles that advance the Security Awareness Program's goals and objectives should be distributed to appropriate personnel.
- Computer banners or screensavers
Screensaver or banner messages should be employed to reinforce security awareness training messages. The Information Security Team should be responsible for periodically updating screensavers and banners.
How do I know if Security Awareness Training is working?
The first thing an organization should measure is its baseline. Simply put – how good or bad is the organization’s cybersecurity awareness before it started Security Awareness Training. Organizations must perform simulated social engineering attacks on its employees, solicit employee feedback, review incidents/events logs, and draw the picture of its baseline exactly as it is.
This serves as the denominator. This is what the organization is going to measure against a year from now to see how far it has come. Make sure that the baseline includes:
- Results of simulated phishing assessments and social engineering assessments.
- Documented employee surveys and opinions on what they think about the existing security awareness training (if any) and, most importantly, how engaged they feel with it. Make sure you include employees from across the organization and from diverse departments.
- Number and types of key security incidents over the past year. This should include phishing incidents, lost or stolen devices, malware incidents arising from employee behavior, and pretty much any incident that can be directly attributed to human error or oversight.
To know if Security Awareness Training is working for you:
- The percentage of employees who are fooled by simulated phishing and social engineering attacks needs to go down from the baseline
- Employee opinions on what they think and feel about Security Awareness Training should go up from the baseline
- The number of key security incidents should go down from the baseline
- As the program continues over time, there should be a measurable decline in poor responses in test exercises and fewer violations of cyber security policies
How can I make the case to my boss for Security Awareness Training?
Focus on piercing many myths that exist about online security training:
We’re safe. We have world-class technical defenses.
One in four data breaches is caused by human error. No technical defense can fix that.
Once a year training is enough
Only repeated training and testing will change risky online behaviors and harden resistance to social engineering attacks.
Training programs lack the high-quality, up-to-date metrics we need to manage the business successfully.
Baseline metrics allow the organization to gauge improvement after each round of training and testing.
We won’t be able to measure ROI
ROI can be demonstrated in many ways, such as calculating the number of incidents avoided and dollars saved (average cost per record breached is about $225).
Security Awareness Training is costly
Training can cost as low as $2 per user per month, less than a cup of coffee.
How do I hire a good Security Awareness Training vendor?
Pick a vendor who understands that cyber security awareness needs to become a way of thinking. In the same way that employees think carefully before crossing the street, they need to think before they take actions online that could compromise the organization. Remember – that’s what you’re investing in.
A good online training vendor will have:
- A robust library of content with modules that are brief and focused on a single topic.
- Content that is engaging, entertaining, interactive and, of course, up to date with the latest threats.
- Diverse content for different kinds of learners, including animations, simulations and even games.
- A product that includes a mechanism to provide immediate feedback. For example, by providing game or quiz scores.
Watch our training video on phishing
Is Security Awareness Training a requirement?
In some cases, several laws and regulations require that a formal information security awareness program be in place, for example:
Federal Information Security Management Act (FISMA): FISMA, 4 U.S.C. § 3544, requires “security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency,” including making sure users understand information security risks associated with their activities, their responsibilities in complying with agency policies, and procedures designed to reduce these risks.
Health Insurance Portability and Accountability Act (HIPAA): Among its training requirements, HIPAA Security Rule 45 CFR § 164.308(a)(5) defines as a standard to “implement a security awareness and training program for all members of its workforce (including management),” meaning that each new workforce member must receive security awareness training within a reasonable period of time after hiring, including periodic security updates, protection from malicious software, and password management.
Gramm–Leach–Bliley Act (GLBA): Also known as the Financial Services Modernization Act of 1999, includes three areas that are particularly key to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures. Companies must make employees aware of the necessary steps to maintain the security, confidentiality, and integrity of customer information, including basic physical security of records, password protection, encryption and the reporting of suspicious activities.
Payment Card Industry Data Security Standard (PCI-DSS): This is a standard, not a law, that imposes compliance requirements on organizations that handle branded credit cards. There are 12 requirements and scores of sub-requirements. Requirement 12.6 requires the implementation of a formal security awareness program to educate all employees about the importance of cardholder data security.