{"id":3077,"date":"2020-09-01T08:20:23","date_gmt":"2020-09-01T08:20:23","guid":{"rendered":"https:\/\/www.empowerelearning.com\/blog\/?p=3077"},"modified":"2021-05-21T04:46:13","modified_gmt":"2021-05-21T04:46:13","slug":"how-to-make-your-security-awareness-training-work","status":"publish","type":"post","link":"https:\/\/www.empowerelearning.com\/blog\/how-to-make-your-security-awareness-training-work\/","title":{"rendered":"How to make your security awareness training work?"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Why should you read this blog! Everybody knows what <a href=\"https:\/\/www.empowerelearning.com\/security-awareness-training\/\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>information security awareness training<\/strong><\/a> is. All organizations conduct such training <\/span><i><span style=\"font-weight: 400;\">and yet uninformed employees remain the top cause for cyber security incidents.<\/span><\/i><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Here\u2019s the <\/span><a href=\"https:\/\/www.statista.com\/statistics\/293256\/cyber-crime-attacks-experienced-by-us-companies\/\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">breakdown<\/span><\/a><span style=\"font-weight: 400;\"> of the most common security incidents experienced by US businesses in 2019.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">38% &#8211; Phishing attacks<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">32% &#8211; Network intrusion<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">12% &#8211; Inadvertent disclosure<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">08% &#8211; Stolen\/lost devices<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">05% &#8211; System misconfiguration<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Unfortunately, employees remain the weakest link of our security infrastructure. Why? Could it be the design of our training program?\u00a0<\/span><\/p>\n<h2><b>How to make your security awareness training work?<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">In this blog, we\u2019ll share\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Why\u2019s information security awareness important<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Topics you must cover in your training<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">How you can increase the effectiveness of your training<\/span><\/li>\n<\/ul>\n<h3><b>What is information security awareness training?\u00a0<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The purpose of such training is to help employees understand the value of protecting the confidentiality, integrity, and availability of information. It\u2019s intended purpose is to help employees learn about security threats and how to mitigate the risks posed by those threats.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The purpose of your training should be &#8211;\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Developing a culture of security awareness across the organization.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Training employees to identify and respond to security threats.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The aim of your training should be to introduce your employees to company policies and procedures for using information technology. You also need to share the best practices for avoiding cyber attacks and other security incidents.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You need to have a strong security awareness training in place to avoid such incidents. Without such a training program, you cannot reduce the risk of a data breach.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Moreover, laws such as HIPAA, PCI-DSS, GLBA, and FISMA require that you should have a security awareness training program in place. Even compliance with NIST 800-53 and ISO\/IEC 27002 calls for a similar employee training program.\u00a0<\/span><\/p>\n<h3><b>Why is information security awareness so important?\u00a0<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">As highlighted above, most security incidents aren\u2019t a result of technology weakness. Uninformed and careless employees are considered as the top reasons for such incidents. Nearly 38% security incidents of 2019 resulted from a phishing attack. Similarly, 32% incidents were network intrusions.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Moreover, criminals don\u2019t just use the Internet to steal your data; they may break into your office physically. Stealing laptops, mobile phones, and USB drives is another way that criminals use. They may also <\/span><a href=\"https:\/\/www.today.com\/popculture\/identity-theft-your-trash-their-treasure-wbna27011491\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">go through your trash<\/span><\/a><span style=\"font-weight: 400;\"> to find sensitive information.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A sound information security awareness training can help reduce such incidents. But first, you need to figure out the risk that employees pose to information security.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For this reason, laws like HIPAA require you to conduct a risk assessment of your business. Get a copy of your organization\u2019s risk assessment report, and figure out the existing information security risks for your organization. Your training program should be based on this information.<\/span><\/p>\n<h2><b>Topics you need to cover in your security awareness training<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Your goal should be to create a training that\u2019s customized to your audience. You could design the training program yourself, or you can ask a vendor to develop the training for you. Here\u2019s the list of most common topics that your training should cover &#8211;\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">How to use Internet safely<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Using strong passwords\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Recognizing social engineering attacks<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Protecting against malware<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Using mobile devices for work\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Secure use of emails<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Phishing and Whaling\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Secure use of Social media<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Working from out of office\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Physical security\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Begin by exploring how your company employees use technology. Employees who handle sensitive information would need a different training, then the employees who work in HR. Learn about their Internet habits, how they share information, and how they use mobile devices for work.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You can get all this information by studying the risk assessment<\/span> <span style=\"font-weight: 400;\">of your organization. The effectiveness of your program depends on how closely it addresses the risk identified in your risk assessment. This may lead you to add topics such as, identity theft, reporting breaches, and disclosing secure information too.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You need to cover company policies and procedures for using Information technology as well. The training should also inform employees about how they can report a security incident.\u00a0<\/span><\/p>\n<h3><b>How to increase the effectiveness of your security awareness training?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">By now, you would have crafted an outline of your security awareness training. But, don\u2019t limit yourself with just classroom training programs. You should look into various feedback mechanisms. One such feedback tool is phishing simulation.<\/span><\/p>\n<h4><b>Use Phishing simulation<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Phishing simulation tools are a good measure of employee awareness. The simulator let you send fake phishing emails to employees. All emails have a fake phishing link. If an employee takes the bait, and clicks the link, the tool would inform your security team.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You can use phishing simulators to find employees who need retraining. And, you can use the tool to measure the effectiveness of your security awareness training.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Now that you are ready with your training program, create a training schedule for all employees. Use the risk assessment document to plan which teams should be trained first. You may also need to conduct in-depth training for some teams. Keep this in mind.\u00a0<\/span><\/p>\n<h4><b>Send a welcome mail to all employees<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Send a welcome mail across your organization sharing the training schedule with everyone.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Ensure that everyone attends the training. If someone fails to attend the training, you should reschedule them immediately. Use all possible forms of training \u2013 Interactive and video training can be really engaging. Training seminars, gamified programs, and audio courses are also popular these days.\u00a0<\/span><\/p>\n<h2><b>Tips for making your security training more effective<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Here\u2019s how to increase the effectiveness of your security awareness training &#8211;\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Do not limit your training program to a single classroom session. Conduct refresher training as regularly as you can.\u00a0\u00a0\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Use emails or monthly security newsletters. Share news of recent cyberattacks, and how they could have been avoided.\u00a0\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Conduct simulated phishing tests.\u00a0\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">As per reports, uninformed and careless employees account for most security incidents. In 2017, almost <\/span><a href=\"https:\/\/www.techrepublic.com\/article\/almost-half-of-it-security-incidents-are-caused-by-company-employees-report-says\/\" rel=\"nofollow noopener\" target=\"_blank\"><span style=\"font-weight: 400;\">half of all security incidents<\/span><\/a><span style=\"font-weight: 400;\"> were blamed on employees. This is a very-high risk scenario. Only a well-designed security awareness training can reduce such risk.<\/span><\/p>\n<h3><b>Use NIST Standards<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Check if your training meets the NIST standards. Keep the focus of your training program on material that employees can use. They should feel that the training was designed for them. The training material should be based on observed threats, and the risk assessment of your information technology systems.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Train employees on phishing, social engineering, and malware attacks. Encourage them to use strong passwords. Measure their understanding with pop-quizzes and phishing tests. Conduct regular refresher training sessions.\u00a0<\/span><\/p>\n<h3><b>Ongoing training\u00a0<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Security awareness training is an ongoing activity. Every time a security incident occurs, you should share the information with the entire organization. Let employees know what happened, why it happened, and how they should respond under similar settings.<\/span><\/p>\n<h3><b>Keep it simple<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Keep your training simple. Tell them about existing threats, how they can identify them and how they should react to such threats. That\u2019s all.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">What are views about security awareness training? How would you design a security awareness program, if you had a chance to do so? Which topics and concepts would you include in your training? Please share your opinion with our readers in the comments below.\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Why should you read this blog! Everybody knows what information security awareness training is. All organizations conduct such training and yet uninformed employees remain the top cause for cyber security incidents.\u00a0 Here\u2019s the breakdown of the most common security incidents experienced by US businesses in 2019. 38% &#8211; Phishing attacks 32% &#8211; Network intrusion 12% [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":3078,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,138,140,229],"tags":[46,51,213],"class_list":["post-3077","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education","category-elearning","category-empower","category-technology","tag-empower","tag-lms","tag-security-awareness-training"],"_links":{"self":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts\/3077","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/comments?post=3077"}],"version-history":[{"count":0,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts\/3077\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/media\/3078"}],"wp:attachment":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/media?parent=3077"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/categories?post=3077"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/tags?post=3077"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}