emPower

How to make your security awareness training work?

Why should you read this blog! Everybody knows what information security awareness training is. All organizations conduct such training and yet uninformed employees remain the top cause for cyber security incidents. 

Here’s the breakdown of the most common security incidents experienced by US businesses in 2019.

  • 38% – Phishing attacks
  • 32% – Network intrusion
  • 12% – Inadvertent disclosure
  • 08% – Stolen/lost devices
  • 05% – System misconfiguration

Unfortunately, employees remain the weakest link of our security infrastructure. Why? Could it be the design of our training program? 

How to make your security awareness training work?

In this blog, we’ll share 

  • Why’s information security awareness important
  • Topics you must cover in your training
  • How you can increase the effectiveness of your training

What is information security awareness training? 

The purpose of such training is to help employees understand the value of protecting the confidentiality, integrity, and availability of information. It’s intended purpose is to help employees learn about security threats and how to mitigate the risks posed by those threats. 

The purpose of your training should be – 

  • Developing a culture of security awareness across the organization.
  • Training employees to identify and respond to security threats.

The aim of your training should be to introduce your employees to company policies and procedures for using information technology. You also need to share the best practices for avoiding cyber attacks and other security incidents. 

You need to have a strong security awareness training in place to avoid such incidents. Without such a training program, you cannot reduce the risk of a data breach. 

Moreover, laws such as HIPAA, PCI-DSS, GLBA, and FISMA require that you should have a security awareness training program in place. Even compliance with NIST 800-53 and ISO/IEC 27002 calls for a similar employee training program. 

Why is information security awareness so important? 

As highlighted above, most security incidents aren’t a result of technology weakness. Uninformed and careless employees are considered as the top reasons for such incidents. Nearly 38% security incidents of 2019 resulted from a phishing attack. Similarly, 32% incidents were network intrusions. 

Moreover, criminals don’t just use the Internet to steal your data; they may break into your office physically. Stealing laptops, mobile phones, and USB drives is another way that criminals use. They may also go through your trash to find sensitive information.  

A sound information security awareness training can help reduce such incidents. But first, you need to figure out the risk that employees pose to information security. 

For this reason, laws like HIPAA require you to conduct a risk assessment of your business. Get a copy of your organization’s risk assessment report, and figure out the existing information security risks for your organization. Your training program should be based on this information.

Topics you need to cover in your security awareness training

Your goal should be to create a training that’s customized to your audience. You could design the training program yourself, or you can ask a vendor to develop the training for you. Here’s the list of most common topics that your training should cover – 

  • How to use Internet safely
  • Using strong passwords 
  • Recognizing social engineering attacks
  • Protecting against malware
  • Using mobile devices for work 
  • Secure use of emails
  • Phishing and Whaling 
  • Secure use of Social media
  • Working from out of office 
  • Physical security 

Begin by exploring how your company employees use technology. Employees who handle sensitive information would need a different training, then the employees who work in HR. Learn about their Internet habits, how they share information, and how they use mobile devices for work. 

You can get all this information by studying the risk assessment of your organization. The effectiveness of your program depends on how closely it addresses the risk identified in your risk assessment. This may lead you to add topics such as, identity theft, reporting breaches, and disclosing secure information too. 

You need to cover company policies and procedures for using Information technology as well. The training should also inform employees about how they can report a security incident. 

How to increase the effectiveness of your security awareness training?

By now, you would have crafted an outline of your security awareness training. But, don’t limit yourself with just classroom training programs. You should look into various feedback mechanisms. One such feedback tool is phishing simulation.

Use Phishing simulation

Phishing simulation tools are a good measure of employee awareness. The simulator let you send fake phishing emails to employees. All emails have a fake phishing link. If an employee takes the bait, and clicks the link, the tool would inform your security team. 

You can use phishing simulators to find employees who need retraining. And, you can use the tool to measure the effectiveness of your security awareness training. 

Now that you are ready with your training program, create a training schedule for all employees. Use the risk assessment document to plan which teams should be trained first. You may also need to conduct in-depth training for some teams. Keep this in mind. 

Send a welcome mail to all employees

Send a welcome mail across your organization sharing the training schedule with everyone. 

Ensure that everyone attends the training. If someone fails to attend the training, you should reschedule them immediately. Use all possible forms of training – Interactive and video training can be really engaging. Training seminars, gamified programs, and audio courses are also popular these days. 

Tips for making your security training more effective

Here’s how to increase the effectiveness of your security awareness training – 

  • Do not limit your training program to a single classroom session. Conduct refresher training as regularly as you can.   
  • Use emails or monthly security newsletters. Share news of recent cyberattacks, and how they could have been avoided.  
  • Conduct simulated phishing tests.  

As per reports, uninformed and careless employees account for most security incidents. In 2017, almost half of all security incidents were blamed on employees. This is a very-high risk scenario. Only a well-designed security awareness training can reduce such risk.

Use NIST Standards

Check if your training meets the NIST standards. Keep the focus of your training program on material that employees can use. They should feel that the training was designed for them. The training material should be based on observed threats, and the risk assessment of your information technology systems.  

Train employees on phishing, social engineering, and malware attacks. Encourage them to use strong passwords. Measure their understanding with pop-quizzes and phishing tests. Conduct regular refresher training sessions. 

Ongoing training 

Security awareness training is an ongoing activity. Every time a security incident occurs, you should share the information with the entire organization. Let employees know what happened, why it happened, and how they should respond under similar settings.

Keep it simple

Keep your training simple. Tell them about existing threats, how they can identify them and how they should react to such threats. That’s all. 

What are views about security awareness training? How would you design a security awareness program, if you had a chance to do so? Which topics and concepts would you include in your training? Please share your opinion with our readers in the comments below. 

Like this post? Subscribe to receive updates directly in your inbox.