With cyber threats targeting your employee now more than ever, businesses are turning to information security awareness training for added safety- but a lot of these of programs aren’t up to scratch.
1. | What is information security awareness training?
“What is information security awareness training?” might sound like a simple question with a pretty straightforward answer, and that’s not too far from the truth. Yet many businesses fall into the category of not really understanding what info-sec awareness truly is.
The short version goes something like: “information security awareness training is a formal process for educating employees about computer security”. As a foundation, that isn’t a bad start. But a good awareness program has a few more layers to it.
The core of your awareness program should ultimately revolve around:
1 | Employee education on corporate policies and procedures around information technology;
2 | Raising awareness on how valuable of an asset corporate data is and why it should be protected;
4 | Information on who should be contacted when discovering a security threat.
The reason more and more businesses are undertaking info-sec awareness training all boils down to the fact that educating your users helps lessen the chance of them being on the receiving end of a successful cyber attack.
2. | Why should your business care about security awareness?
Human error accounts for 2/3 of data breaches
Any business with employees has something to worry about when human error is high. In certain situations, human error is almost inevitable, especially for people in a unorganised businesses with sub-adequate training.
Security awareness training offers your business one of the most basic ways of combating these user-focused threats. One of the main points of launching an awareness program is to ensure your employees understand that cyber criminals will deliberately attempt to steal or misuse your business’s systems and information. Therefore, they need to be aware of the risks and threats that will inevitably come their way.
It doesn’t just stop there, employees need to be fully aware of the consequences of not protecting the organisation from outside attackers - and these aren’t just a slap on the wrist. Damage to operations, large penalties, and serious brand damage are just some of the repercussions.
Advancements in technology
Technology is constantly changing, it doesn't seem to be stopping anytime soon. However, they do say every side has two coins. While technology has no doubt contributed to many great things it has also led to a rise in cyber crime.
You could say most companies have become pretty reliant on technology. Of course it makes employees day to day tasks become a little easier. However, criminals will also be taking advantage of the technology as well. Data is not what it used to be, hard copy information is increasingly less common. Pretty much everything is digital. Social media has also taken the centre stage for cyber attacks, personal information can be accessed very easily by anyone. Not only do social media sites give hackers access to personal information some websites can reveal your location at any time.
With the major advancements in technology, the presence of cyber criminals and other cyber security threats are also on the rise. Fortunately, as technology has advanced so has the ability to seek out cyber crime before it happens
Cyber security and GDPR have become very important topics for any business. One of the major changes to the GDPR are the penalties that organisations will suffer as a result of not complying with the new regulations. The Information Commissioner’s Office (ICO) will have the power to slap a fine of 20,000,000 euros on businesses, or 4% of annual turnover (whichever is higher).
Employees will ultimately play a key part in determining which category you fall into compliance, or non-compliance.
In fact, the ICO’s recommended “12 GDPR steps to take now” puts employee awareness as step one. The right security awareness training program will ensure that your end-users are equipped with the knowledge of these changes, and how their handling of data will be affected - putting your business on the right side of the necessary procedures.
It could be more expensive not investing in training
If a data breach occurred in your business in your business you could you loose a lot more than the time and money you spent on security awareness training. With any security breach there is a serious risk to a business's reputation. More than 22% of breached organisations lost a high percentage of their customers.
Companies assume that having the best security firewall and the latest technology is the best method of prevention for cyber attacks. Yet no piece of technology is 100% secure. Remember most cyber attacks target your employees, not the device itself. This why security awareness training works best for your company. A good platform will educate end-users on common cyber security threats and how to prevent them.
Even after a data breach, a company will not be able to get back to normal for a while. Computer systems have to be clean, passwords have to be updated and trying to maintain the amount of customers is one of the hardest things for a company to do after a data breached has occurred.
91% of successful phishing data breaches originate phishing emails
Phishing is certainly not new, we have seen it grow into one of the most powerful types of cyber crime. Phishing is very popular with cyber criminals because it provides them with direct access to the most vulnerable party of any organisation- the end user.
Phishing no longer comes as a basic email, it takes many forms. Criminals are doing what ever they can to gain access to a business's data. While many phishing scams target email accounts the phenomenon has now spread to social media sites and various applications. When conducting phishing attacks, scammers typically use social engineering techniques to impersonate an individual or company. The aim of these attacks is pretty obvious- to trick the victim into revealing private or sensitive information.
Phishing no longer just targets giant masses of people. Phishers have started to narrow their targets and target higher level employees such as CEO's and executives. The scammers are generally after one thing: money. Targeting higher level employees means the phisher has direct access to money if they phishing attack is successful.
3 | How does security awareness control the threat?
Educates your end-users on cyber threats
Having a good security awareness program in place will improve employees knowledge on the general security threats and the best security practices. Your employees will feel more confident and prepared in the event of a cyber attack.
Your employees are your last line of defence and if they can’t save your business then nobody can. The targets are no longer devices, cyber criminals want data and your employees are the ones who have constant access to it. Threats such as social engineering are on the rise and are almost undetectable this is where security awareness can be the difference of your company becoming a victim to a data breach.
Having a program in place to measure the effectiveness of training is essential. Whether it’s through the means of a quiz or report it is necessary to determine any weaknesses and strengths before and during the training.
Some security awareness programs will use this information to personalise the security awareness training to each individual end-user. Doing so will help every individual to work on their weakest areas and maintain their strongest. Remember, not everyone in your business will know and understand every aspect of phishing or social engineering. Overtime you will see progress of all your end-users being made and a decrease in human error.
Security Awareness meets regulatory requirements
You may not be compliant with the law if you don't introduce security awareness training to your business. There are a few industries such as financial, government and healthcare institutions whom are required by law to ensure their workforce has thorough cyber security training.
When GDPR came into effect it became compulsory for a much wider array of companies to invest in cyber security awareness training. If your company falls under GLBA,PCI,HIPAA or Sarbanes-OXley, you will need some form of security awareness training in your business. End user training should cover the best security practices such as password security, two- factor authentication and BYOD. The platform should include a range of modules that cover the various types of cyber threats and how employees can combat these threats.
Improves company cultures
When you offer training to employees they become more aware and vigilant, security awareness training has been known to improve the culture in a business. When employees feel confident about their interaction to cyber crime, the less likely they are to cause an incident.
To reduce human error and have a safe and happy culture in your business security awareness training is the solution. Training will teach employee how to protect themselves as individuals but also the business as well. Regular training instils better habits. When something becomes a habit people will continue to follow it, like second nature. Risk is a moving target in technology. Reinforcing the training with other materials such as posters, phishing simulations and guides helps to ensure your culture stay security focused.
4| Why should my company invest in security awareness training?
Cyber attacks are becoming very common
Your employees are the core of your business, so they will be the main target for cyber criminals. Making sure your end- users are up to scratch with their knowledge is key. Cyber crime isn’t going to come to a halt anytime soon, the threat landscape is constantly evolving.
You might be clued up on cyber crime and might be able to stop a data breach from occurring, but ask yourself this, would your staff know how to stop a phishing email? Or perhaps a fake website from a legitimate one? Something as simple as security awareness training could be enough to defend your company against some of the most common types of attacks levelled against businesses.
Everyone in your business is a target
No matter your company size or what type of employee you are, you are a target. Employees by far are the biggest reason why cyber threats enter business systems. A cyber criminal will target who ever they feel is necessary to get the information they need. They will use different methods of cyber crime and personalise them to increase the chances of success.
Take phishing for example, you couldn’t even count every type of phishing on your hands, there is that many. Phishing has become very sophisticated and almost undetectable, criminals have found ways to make their emails as realistic as possible. Social engineering plays a key role in cyber crime its the art of manipulation and works in favour of criminals, all they have to do is research their victims and use this knowledge against them. Whether they impersonate a friend, a colleague or boss they are very difficult to spot because they seem so realistic.
Training is very affordable
You may not think it, but security awareness training is actually very affordable. A good security awareness program will offer you everything you need to keep your company secure. The training educates your end users on the most common security threats and how to prevent them.
Some companies offer phishing simulations as well, which is an added bonus to see if the training is working. Phishing simulations test your employees on how they would respond to a real life phishing attack. You can track which employees have clicked on the phishing email, who has given away their password and who has ignored them email. Security awareness training and phishing simulations go hand in hand. They really are a great way of keeping your employees and your business safe but also clued up on cyber crime.
BYOD can be very beneficial for a company and its employees. With more and more companies adopting bring your own device technology and policies, there is an increased risk of byod cyber attacks.
With employees bring their own devices into work, there's a lot lesson control of how the device is being used and whether it is secure or not. Another problem with BYOD is you have no idea who actually has access to the device when its not being used by your employee, this could cause great risk to the business and could potentially lead to valuable data being lost or stolen. A good security awareness program will educate end-users on the risks of BYOD and how to mitigate the risks and keep themselves and others safe in the workplace.
5 | How should your program be delivered?
How to deliver your program:
1) Involve everyone
It’s pretty easy for businesses to fall into the trap of only including certain department they deem as “more at risk”. But the simple fact is, everyone in your organisation is a target. From the CEO to entry-level employees, we all hold valuable corporate data, and with many phishing campaigns being sent in their masses to random recipients, we’re all at risk of falling for the bait.
2) Cover the basics
It’s crazy to think that employees still use simple passwords, usually named after their first pet. It’s even crazier to think that people still write these passwords on post-it notes, then stick them in plain sight. Make sure to cover these kinds of basic mishaps in your program (and they don’t just happen with passwords: think emails, physical security and social media - to name a few!).
3) Make it relevant
There’s often an illusion that only the business’s back pocket will suffer as a result of a breach… but that’s far from the truth. Disciplinaries, job losses and job terminations are a common reality in the wake of a breach. Ensure that your users know their importance (and responsibilities) in keeping the business safe, especially when it comes to avoiding their company property or personal identity being stolen.
4) Don’t make it boring
Let’s be fair, it’s pretty damn hard to make cyber security awareness training “fun” for employees, but we can certainly make it a little less painstaking. Alongside your program, be sure to use other resources like contests, cyber security posters and even a newsletter.
5) Test the program’s effectiveness
Simulating an email phishing campaign on your users can be a great way of both determining how effective your training has been to date and raising awareness of how to spot a phishing attempt. Good news is, there’s plenty of phishing tools offering a free test to help you get up and running with this one.
6) Don’t overdo it
The best advice we can give in order for your users to avoid learning fatigue is to stick to a “little but often” approach. Information should be given to your users on a regular basis (for instance, once a month), but with bite-sized chunks of information. Not only is this proven to reduce your user's chance of getting fed up, it’s also a big boost for knowledge retention rates.
6 | What should your program include?
All businesses have different requirements when it comes to what should be included in their training content, but there are some topics that we recommend having in every program - regardless of size or sector.
1) Phishing/ Email Security
With 91% of cyber attacks beginning with a phishing email, organisations certainly can’t afford to be neglecting the subject. How to spot the warning signs of a phishing email and how to report them are a good focal point, as well as why they should always be sceptical of clicking links and attachments in unsolicited emails.
2) Password Best Practices
Raise awareness on not only the importance of choosing a complex password, but also why they are important, how to use password management tools, and why/ how they should be setting up two-factor authentication.
3) Social Engineering
Too many end-users don’t know what social engineering is, let alone how to avoid it. Educate your employees on how these techniques work, how to spot them, and how they can ensure they’re less likely to be a successful target.
4) Physical Security
Physical security often stops at implementing access cards and identity badges for a lot of businesses. This is a great start, but employees themselves need to be educated on the importance of why they should always wear these, as well as why they should take good measures to secure their corporate devices.
5) Social Media
Quickly becoming a pet hate for IT departments, your employees/ colleagues must be aware of how to safely use social media at work and at home, the risks of over-sharing, and the privacy and security parameters offered by social media companies.
6) Mobile Security
Bring-your-own-device (BYOD) is a growing trend, so employees need to be educated on the risks associated with using these devices for work, the common threats they could face, and the appropriate procedures for cardholder data while using mobile systems.
7) Remote Working
Another growing trend, but accessing company data and systems whilst working away from your usual secure corporate network isn’t without its risks. Employees should be able to identify what these are, the technology and software needed to combat this, and how to handle corporate data when in such scenarios.
8) Antivirus and Software Updates
Simple, but often inconvenient, employees need to understand why it’s vital in today’s cyber world to regularly update their devices. How to keep everything up-to-date, how to do this efficiently, and how to keep mobile devices just as updated as their computers should all be covered.
7 | How can I get my awareness program up and running?
Gain support from the C-suite
We know… we’re not exactly starting you off with an easy one here, but it’s not as bad as you might think. Gaining support from the senior team will give you plenty of future ROI as you venture towards executing your program. Ultimately, it will increase the level of freedom, company-wide support, and budget for your project.
It may sound like a difficult task, but there are certainly ways around these obstacles. For instance, clearly highlight the repercussions of not supporting your information security awareness training program - and there’s plenty of those to choose from. After all, demonstrating your business’s efforts in security awareness is a must for GDPR compliance, not to mention a vital step for avoiding the financial and reputational disasters that arise in the wake of a breach!
Long story short - make life easier for yourself by educating your board before you educate your users.
Choosing the right vendor
The fact is, creating your own in-house security awareness training program is resource-intensive. These programs are far from a one-off job - they require consistent updates if they are to stay relevant with the latest list of cyber threats, otherwise, the efforts spent on training won’t be far from wasted.
Outsourcing security awareness training is allowing businesses to combat these obstacles, whilst receiving access to progress and metrics (often with the added benefit of having all this data in one easy-to-access platform).
It’s worth pointing out that there’s plenty of vendors out there offering free security awareness training versions for your business to test out.
Get involved with other departments
“Cyber security? That’s a problem for the IT department”... For IT professionals, this statement is enough to make your stomach turn. Not only is cyber security not just a problem for the IT department, it’s undoubtedly the responsibility of all departments in your organisation to help build a security culture.
From finance and accounting to HR and marketing, gaining support is another key step to getting your program up and running. As covered in step one, already having the support of the C-suite can significantly boost this effort.
Some departments can even make security awareness efforts mandatory. For example, the legal and compliance departments carry a great deal of influence throughout the organisation and can make security awareness a required component of other processes, such as new hire indoctrination.