How Do I Create a Security Awareness Program – Employee Security Awareness Training

Reducing threats better than a firewall, intrusion detection system, or endpoint protection platform with Security Awareness Training

Why should Security Awareness Training be on your radar? Year after year, leading industry surveys continue to reveal that cybersecurity attacks are on the rise. And the latest 2018 Verizon Data Breach Investigations Report, which details more than 53,000 incidents and 2,216 confirmed data breaches, is no exception. Though enterprises are spending more than ever before on technological solutions, and though more robust software and more recent updates are available, criminals are continuing to breach our networks at an unprecedented rate. Why are attackers successful as often—or more often—than they were in the past, despite advances in security technology? 

According to Verizon’s research, the most common action taken in breaches was the use of stolen credentials. In another recent survey, 65 percent of organizations had been victims of a major security incident within the past year, and among these, more than half (52.9 percent) reported that their systems had been infected through a phishing or targeted email-based attack. Human error is what has allowed these attacks to succeed.

Security awareness training is a formal educational program designed to help employees be more mindful of information security best practices as they go about their daily activities. Its primary objective is to strengthen the overall security culture throughout the organization. 

Various types of security awareness training exist, from the “break room approach,” in which employees are gathered for lunch-and-learns or special meetings, to training conducted via videos or webinars, all the way through comprehensive programs that include practice with simulated phishing attacks and testing.

How Do I Train My Employees for Cybersecurity?

Numerous cybersecurity awareness programs are available today, but not all are equally effective. Many security leaders struggle to gain support for this training from upper management, and some have difficulty getting employees across the business to take all its aspects seriously. Training that’s poorly designed, that’s conducted too infrequently to be memorable, or that has become outdated (which can happen very quickly in today’s ever-changing cybersecurity landscape) won’t give the hoped-for results.

Look for a program designed to engage your users, to hold their interest, and to provide ongoing training, assessments, and refreshers to ensure that they retain what they’ve learned. Programs that deliver information in a wide variety of media types and formats (ranging from posters to video, webinars to email newsletters) will cater to a broad array of learning styles. Programs that include gamification build a sense of mastery and autonomy among users, improve their recall of information, and boost their willingness to participate. And programs that offer testing and assessments and display the results in a visually appealing dashboard make it easy to identify the individuals who pose the greatest risks.

Importance of Security Awareness Programs

Because the human tendency to make mistakes remains the same while cybersecurity technologies grow more sophisticated, cybercriminals are focusing increasing amounts of attention and effort on people instead of technical defenses. 

Email continues to be the most common attack vector. Despite this, an alarmingly high percentage of users in one recent international survey were unable to correctly define—let alone accurately identify—a phishing or ransomware attack. In this cultural climate, security awareness training has the potential to make an enormous difference.

No matter which technical cybersecurity solutions your organization has in place, implementing a security awareness training program can enhance their effectiveness. Because of this, security awareness training continues to be among the most cost effective ways to reduce the overall information security risks faced by your organization.

An effective security awareness training program will significantly decrease your chances of suffering a data breach, and thus of incurring resulting direct and indirect costs—for remediation and repair, revenue loss, reputation damage, and fines and penalties. Forrester Research estimates that a mid-size organization would experience a $124,219 risk-adjusted benefit value over the course of three years after implementing a highly effective security awareness training program.

The “soft” benefits that such organizations would experience are more difficult to quantify but no less important. These include an increase in employee motivation and ability to respond effectively to phishing attempts or other cyberthreats. Employees who are confident in their ability to identify risks are far more likely to participate in a “speak up” and “safety first” workplace culture, and less likely to ignore threats when busy or stressed.

Security Awareness Training Companies

Demand for cybersecurity awareness training is on the rise. Cybersecurity Ventures predicts that the market for security awareness training, which was roughly $1 billion per year in 2014, will increase to $10 billion annually by 2027. To help employers navigate this rapidly growing market, they’ve assembled a comprehensive directory of companies that offer products, services, and platforms within it.

With so many options to choose from, it can be challenging to determine which cybersecurity awareness training program will best meet your organization’s unique needs. Seek out a training provider with extensive experience, and choose one that knows your industry well—including its culture and history as well as the threat profile and compliance requirements you face.

Several organizations, including the SANS institute and the U.S. government , offer free resources that can help you evaluate vendors or lay the groundwork for your training program. Many reputable vendors also provide tools and resources that are free to the public.

A common method for delivering security awareness training is by showing PowerPoint slides on best practices to assembled employee groups. Though this is undoubtedly better than no training at all, such presentations, which security experts and weary employees alike dub “ death by PowerPoint ,” are among the least engaging ways to present this vitally important material.

In contrast, the most effective security awareness training programs for today’s complex and ever-changing threat landscape are those that engage your users’ attention and awareness by presenting highly relevant, personalized and individualized material in a variety of formats. 

Look for a program that includes:

• Baseline testing. It’s key to assess your users’ strengths and vulnerabilities before you begin training.
• A comprehensive training library. Interactive modules and games will challenge and engage your users. Automated reminders can provide an incentive for them to continue progressing through the program.
• Tests and simulations. These should be sophisticated and varied to mimic the real-world threats that users encounter daily.
• Clear and actionable reporting. Statistical reports allow you to see the results of your security awareness mitigation plan, and to modify it to maximize effectiveness.

If you create a security awareness program that employees find enjoyable and engaging, they’re far more likely to remember its lessons and apply them at the right times.

Include games among the educational materials and consider providing incentives or awarding prizes to employees who succeed in the training or are able to apply its lessons to real-world attacks.

It’s also important to customize your messaging for different employee groups. Senior executives may not need or benefit from the same training as IT staffers, and industrial equipment operators will have different needs still. If you can make the training relatable and relevant, employees are more likely to appreciate its value.

HR professionals have a vital role to play in protecting organizations’ information assets. Because HR traditionally oversees employee development and training, they’re in an excellent position to advocate that strong employee cybersecurity training programs be implemented throughout the entire organization. An effective HR department can go a long way towards developing a resilient cybersecurity culture across disparate departments and divisions. 

HR departments can also ensure that security awareness training be incorporated into employee on-boarding procedures.

It’s easy, straightforward, and the opposite of technically complex. But many employees forget that simply straightening up their desks can help protect the security and integrity of business data.

Though we often think of data security as an IT problem, sensitive information can also be found on printouts or paper forms. Be sure to file away all paperwork that needs to be saved, and shred paper documents before discarding them. Putting everything where it belongs is a habit that will keep all types of data safer. It also makes it easier to see if laptops, mobile devices or USB drives have been stolen or tampered with.

Finally, never store written down passwords on sticky notes to store on your desktop or attach to your computer monitor.

Conclusion