The objective of security awareness training is to educate an organization’s staff, whether they are employees, temps, or contractors, about how to safeguard themselves and their company’s resources from any form of damage or loss while performing their authorized duties online.
Usually, organizations have to provide security awareness training to their employees once or twice a year if they need to meet industry regulations or frameworks such as HIPAA, PCI, the Sarbanes-Oxley reporting requirements, NIST, or ISO.
Small and Medium Enterprises may not necessarily be mandated to provide training for their employees to prevent cyberheists via phishing attacks, account takeovers, or other common methods utilized by cybercriminals to steal company funds. Nevertheless, such training can prove advantageous to them.
Why Security Awareness Training?
In order to possess awareness, individuals must possess the capacity to confront reality as it exists. KnowBe4 serves to assist workers with facing the truth about the efforts of cybercriminals to deceive them. Once this truth is acknowledged, individuals can become cognizant and capable of identifying fraudulent emails and taking necessary actions such as deleting the email or refraining from clicking on any links.
The pace of cybercrime is rapid, previously confined to identity theft, but now covering network takeover, bank account hacking and large-scale theft, with all types of organizations vulnerable. It’s important to establish a robust human firewall as a final form of defense against potential cyber-heists. Could your company be the next target?
How To Run A Successful Program In For Your Employee
Critical Components of a Cyber Security Awareness Program
- Content – Content is king! As humans we all prefer different types and styles of content. Don’t approach content in your program as one size fits all. Match different content types to different roles in your organization.
- Executive Support & Planning – Materials that will help you continue to prove the value of the program to your executive team, and also to show auditors/regulators that you are doing the right thing.
- Campaign Support Materials – A successful program shouldn’t be ‘one and done’, treat it as a marketing endeavor. Once-a-year, ‘check the box’ training will not work toward changing user behavior. Continuously presenting the information in different ways, when it coincides with the context of their life, is what will influence their decisions and make it EASIER for users to make smarter choices.
- Testing – People need to be put in a situation where they will have to make a decision that will determine if the organization gets breached or not. Phishing simulations prompt employees to either click a link, report the phish, or do nothing. You want to give them an opportunity to report phishing attempts and help the organization increase resilience. If they do fall for the phish, you want the ability to do training then and there to create a learning moment. Doing nothing isn’t ideal as it leaves the potential threat out there and there’s an opportunity for others in the organization to click.
- Metrics & Reporting – You need to be able to show you are closing security gaps. Reporting is also useful for optimizing campaigns based on past results. You want to be able to see what is working well and what can be improved upon.
- Surveys/Assessments – These types of tools can help you understand the attitudes of your organization and how well your program is resonating with your people so you can adapt. Think of it as a pulse check of subtle nuances that are different than metrics/reporting such as opinions, frame of mind, etc.
A harsh reality to face is that your department’s cyber awareness program and content serve as the outward representation to your colleagues within the organization. This becomes even more vital in larger organizations where coworkers may be unfamiliar with you personally and rely solely on the output of your department. Therefore, your program and content must be of equal or superior quality to everything else being produced by the organization. Without this level of excellence, security will be viewed as an insignificant detail or a mere afterthought.
To fully understand user experience, we cannot limit our focus to a single moment of learning. Instead, we must take into account the larger context. One possible framework to do so is the 70:20:10 model for learning and development.
- 10% Formal – Structured learning, LMS courses, training days, etc. This is about the maximum amount of time you can allot per user for formal training. You need to be thinking about ways to address the other 90% of someone’s experience in the organization.
- 20% Informal – This would include asking others, collaborating, webinars, watching videos, reading, etc. Think about how to build an informal community for users to know where to go to get the information they need when they are actually seeking it out.
- 70% Experiencial – On-the-job, social, in the workflow, corporate and departmental culture. From a security aspect, if we are ignoring that 70% social/cultural component, we’re putting ourselves at a disadvantage. Think about ways to address that entire 100%. Vendor support systems can help.
The Five Moments in which there is a necessity for learning or performance support.
- For the first time
- Wanting to learn more
- Trying to apply knowledge and/or remember
- When something goes wrong
- When something changes
Consider the possibility of learner profiles/segments.
Various departments have distinct types of information and cultures. To effectively measure them and provide training that suits their particular needs and learning styles, it’s critical to have robust methods of segregating your user population into different groups.
As per BJ Fogg, a behavioral researcher, it is essential to consider three fundamental aspects of human nature while designing products – our inclination towards idleness, socialization, and familiarity.
The sequence of developing competence is comprised of four stages.
- Lack of Awareness – Unconscious Incompetence or “I don’t know that I don’t know something.” They are blissfully unaware and their behavior will reflect that.
- Awareness – Conscious Incompetence or “I know that I don’t know something.” They now realize they don’t have all the knowledge and tools they need. We can hope that will move them to the next stage.
- Step-by-step – Conscious Competence or “I know something, but I have to think about it as I do it.” They either need to access stored information or really intentionally weigh all the options then come to the right conclusion.
- Skilled Stage – Unconscious Competence or “I know something so well that I don’t have to think about it.” This is where most of us are with pattern-based behaviors like driving, brushing our teeth, etc. At some point these things were difficult, and we can actually build up to this stage.
One issue is that conventional programs fall short by leaving workers stuck in phases 1 and 2. To counter this, create a program that guides them to reach stage 4. It’s best to use ongoing education and practical exercises to guide users to stage 4, which promotes the kind of habits that can safeguard against a security breach.
Variety of Content
Beyond mere formal instruction
When considering cyber security awareness training material, conventional courses within an LMS are likely the initial thought. However, there are numerous alternatives including videos, games, blogs, webinars, posters, branded merchandise, self-generated material, newsletters, and email communications. All forms of delivery that communicate a message and prompt thought, interaction, or response are considered content.
Ensure that your content is both engaging and pertinent to your audience.
In terms of training, it is crucial that the content is engaging to the intended audience in order for it to be relevant and memorable. The key is to ensure that the training includes relatable stories, as the contextual information within a story is much more effective than dry written policies. As everyone learns differently and prefers different types of content, it is important to avoid a one-dimensional approach that will alienate a significant portion of the audience. The best approach is to tailor the content to the learner, rather than force them to learn in only one way.
Avoid simply increasing the amount of content without considering its value. Using a range of content formats will help the message to be better understood. Consistently repeating the same message is important for it to be retained but it is necessary to have a variety of content to support this. Merely presenting a course multiple times will not lead to significant results. If you are uncertain about how to proceed, there are numerous vendors who can offer advice and suggest best practices. Begin with this and modify your approach over time based on what is effective in your situation.
Top 10 security awareness training topics for your employees
When designing your best security awareness training program, it’s important to ensure that it covers the cyber threats that an organization is most likely to face. This article outlines the ten most important security awareness topics to be included in a security awareness program.
1. Email scams
Cybercriminals primarily employ phishing attacks to infiltrate an organization’s network. They capitalize on human behavior to deceive their intended victim with attractive incentives such as freebies, business prospects, or by creating an imminent need.
To ensure comprehensive security training in any organization, it is essential to incorporate education on phishing. This includes showcasing prevalent and pertinent phishing emails as well as providing suggestions on detecting potential attacks, such as:
- Do not trust unsolicited emails
- Do not send any funds to people who request them by email, especially not before checking with leadership
- Always filter spam
- Configure your email client properly
- Install antivirus and firewall program and keep them up to date
- Do not click on unknown links in email messages
- Beware of email attachments. Verify any unsolicited attachments with the alleged sender (via phone or other medium) before opening it
- Remember that phishing attacks can occur over any medium (including email, SMS, enterprise collaboration platforms and so on)
Cybercriminals employ malware, which refers to malevolent software capable of stealing sensitive information such as user credentials, as well as causing destruction to an organization’s systems, with ransomware and wiper malware being examples thereof. They deliver this software to organizations through various methods like phishing emails, drive-by downloads, and malicious removable media.
It is crucial to provide employees with security awareness training regarding malware which comprises of information concerning prevalent delivery methods, threats and their potential impact on the organization. Significant pointers to take into account are:
- Be suspicious of files in emails, websites and other places
- Don’t install unauthorized software
- Keep antivirus running and up to date
- Contact IT/security team if you may have a malware infection
3. Password security
The most prevalent and effortless way of verifying one’s identity is through passwords. Typically, workers maintain many accounts on the internet where they log in with a username (sometimes their email address) and a password.
The inadequate protection of passwords poses a significant risk to contemporary business security. Key recommendations on password security that should be incorporated in instructional materials are:
- Always use a unique password for each online account
- Passwords should be randomly generated
- Passwords should contain a mix of letters, numbers and symbols
- Use a password manager to generate and store strong passwords for each account
- Use multi-factor authentication (MFA) when available to reduce the impact of a compromised password
4. Removable media
Cybercriminals find removable media, such as USBs and CDs, to be an advantageous instrument as it permits malware to circumvent an organization’s network-based security measures. These media can be used to install malware and set it up to run automatically through Autorun or with a name that entices employees to click on it. These malicious removable media can pilfer data, implant ransomware, or even damage the computer that hosts them.
Untrusted removable media, which may contain harmful content, can be disseminated by being left in public areas such as parking lots or given out at public conferences and events. It is crucial for employees to receive proper training on how to handle this type of media appropriately.
- Never plug untrusted removable media into a computer
- Bring all untrusted removable media to IT/security for scanning
- Disable autorun on all computers
5. Safe internet habits
Access to the internet is common among workers, particularly those in the tech industry. Thus, it is crucial for companies to prioritize the secure utilization of the internet.
To prevent attackers from infiltrating your corporate network, security training programs must integrate secure internet practices. Essential training content includes:
- The ability to recognize suspicious and spoofed domains (like yahooo.com instead of yahoo.com)
- The differences between HTTP and HTTPS and how to identify an insecure connection
- The dangers of downloading untrusted or suspicious software off the internet
- The risks of entering credentials or login information into untrusted or risks websites (including spoofed and phishing pages)
- Watering hole attacks, drive-by downloads and other threats of browsing suspicious sites
6. Social networking dangers
Social networking serves as a potent tool for enterprises to establish their brand and generate online sales, whether locally or globally. Regrettably, cybercriminals exploit social media platforms to launch attacks that can jeopardize an organization’s reputation and systems.
To ensure crucial data is not lost, it is essential for organizations to implement an effective social networking education plan that restricts the use of social media while also educating employees about the potential dangers associated with it.
- Phishing attacks can occur on social media as well as over email
- Cybercriminals impersonating trusted brands can steal data or push malware
- Information published on social media can be used to craft spearphishing emails
7. Physical security and environmental controls
It’s important for employees to be aware of security risks beyond those that exist in company technology. This includes physical risks in the workplace, such as:
- Visitors or new hires watching as employees type in passwords (known as “shoulder surfing”)
- Letting in visitors claiming to be inspectors, exterminators or other uncommon guests who might be looking to get into the system (called “impersonation”)
- Allowing someone to follow you through a door into a restricted area (called “tailgating”)
- Leaving passwords on pieces of paper on one’s desk
- Leaving one’s computer on and not password-protected when leaving work for the night
- Leaving an office-issued phone or device out in plain sight
- Physical security controls (doors, locks and so on) malfunctioning
8. Clean desk policy
Thieves can easily snatch sensitive information like sticky notes, papers, and printouts that are left on a desk, while snoops may catch a glimpse. To prevent this, a clean desk policy should restrict the visible information on a desk to what is strictly necessary. Prior to leaving the workspace, any confidential and sensitive information should be carefully stored.
9. Data management and privacy
A vast amount of valuable information is gathered, archived, and handled by the majority of establishments. This comprises of client particulars, staff documentation, corporate methods, and other vital data that is crucial for running the organization. If any of this information is visible to the public eye or within reach of a rival or cybercriminal, the business could encounter severe regulatory sanctions, harm to consumer trust, and a disadvantage in the competition.
It’s crucial for workers affiliated with a company to receive education on adequately handling any confidential data pertinent to the business to maintain the security of both the data and the customers’ privacy. Significant elements that need to be incorporated into the training sessions are:
- The business’s data classification strategy and how to identify and protect data at each level
- Regulatory requirements that could impact an employee’s day-to-day operations
- Approved storage locations for sensitive data on the enterprise network
- Use a strong password and MFA for accounts with access to sensitive data
10. Bring-your-own-device (BYOD) policy
The use of personal devices in the workplace is allowed through BYOD policies, which can enhance productivity as employees can utilize the devices they are proficient in. However, this also poses security threats.
The following tips should be incorporated into employee security awareness training and BYOD policies:
- All devices used in the workplace should be secured with a strong password to protect against theft
- Enable full-disk encryption for BYOD devices
- Use a VPN on devices when working from untrusted Wi-Fi
- BYOD-approved devices should be running a company-approved antivirus
- Only download applications from major app stores or directly from the manufacturer’s website
Having a proficient workforce is essential for the prosperous functioning of any business. However, an untrained and careless staff can expose your enterprise to numerous cybersecurity risks. Hence, it is crucial for companies to implement a practical security training program that covers all the necessary protocols to avoid potential cyber threats.
In order to ensure the security of the organization, it is recommended that monthly training meetings be scheduled, reminders be sent often, new personnel be trained on new policies upon arrival, training material be made readily available, and creative incentives be implemented to recognize employees who take proactive actions towards security measures.