The speed at which the security landscape is evolving can make it challenging to keep up to date with the latest threats for those on the front line of a business' cyber defences. It is even more difficult for employees who aren't involved in cyber security to know what to look out for when it comes to ransomware, phishing and data breaches.
The four major cyber security concerns expressed by IT professionals in a recent survey are a breach of confidential data, with 68% highlighting it as a major concern, followed by phishing attacks (68%), CEO fraud attacks (68%) and ransomware attacks (62%).
All of these methods of attack can involve exploiting employees at a company, and therefore training is one way to reduce the risk of staff accidentally opening a malicious email attachment, or falling prey to a social engineering attempt.
What is security awareness training?
As the name suggests, security awareness training is educating staff about what potential cyber threats look like, so that they are able to avoid attacks.
It doesn't guarantee that an employee will never make a mistake, but by raising awareness of common and emerging ways that hackers can try and get information, it keeps cyber security at the forefront of their minds.
Security awareness training should focus on three primary strands: firstly, how IT and devices should be used in the business; secondly, what security threats look like; and thirdly, how to respond both to suspicious activity, and an actual cyber attack.
Most organisations should have corporate policies about how to use devices, whether those are business-issued or personal. Shadow IT - or unauthorised business devices and apps - is a security issue that can leave businesses vulnerable, so it is important to set out and regularly reinforce expectations for what devices staff can use, and any limitations on that, particularly when they're connected to a corporate network.
Keeping employees up-to-date with what security threats look like is another important aspect of security awareness training. This can be everything from the basics of what to look out for with a phishing email, to trends right at the cutting edge of the cyber security landscape.
Finally, it is crucial not to leave out what to do in the event of receiving a suspicious email, such as reporting procedures and who to turn to, as well as what to do in the event of a cyber attack. This can also be a good place to highlight the organisation's disaster recovery plan, to improve how the business will respond and ensure all employees are on board.
Pros and cons of security awareness training
With 56% of security professionals saying that employees are the number one cause of data breaches, there are numerous benefits to improving staff awareness of cyber threats.
Frequent security awareness training will help bake cyber security into an organisation's culture. Collective awareness is a powerful tool, and is particularly important for businesses with a high staff turnover.
If staff are being vigilant about the emails they receive, what passwords they set, and how they share information internally and externally, the risk of a silly mistake having devastating consequences for the business is greatly reduced.
One clear benefit of having regular training is increased compliance. Should a data breach happen, showing that you had adequate training in place and that it was enforced will be a key part of determining how much fault lies with the business.
However, there is always a risk that, as with too-frequent fire alarms, too much of an emphasis on security awareness training can make employees blas about potential threats.
Some forms of security awareness training can also be quite costly, especially hands-on and classroom-based training, which is often more effective than an online course or internal briefings. But the costs of implementing security awareness training should be balanced against the long-term financial and reputational cost of a successful cyber attack.
Security awareness training will also not help if an employee is intent on acting maliciously. It does, however, mean that they can't plead ignorance about policies and procedures if these are regularly highlighted in training.
How to implement security awareness training
A large part of security awareness training is highlighting bad habits that staff may be getting into, and raising awareness of the consequences. There are four main ways that security awareness training can be implemented to improve some of these simple vulnerabilities:
A classroom-style approach, where employees gather in an external or internal room for a dedicated training session. This can be delivered by a member of the IT or security team, or an external training company can be hired.
Best practices for implementing security awareness training
How to develop a security awareness programme that will actually change behaviour
An online course, which can be delivered to both new and existing employees on a regular basis. Online courses or training videos are often used for compliance training, fire safety and more, and can easily be used for security awareness as well. Although there is no guarantee of how engaged an employee is when doing online courses, they can be completed by new starters almost straight away, and quizzes can be used at the end to test understanding.
Internal tests are a method growing in popularity, where companies send simulated phishing attacks to their own employees. Security staff can then determine who falls prey to a phishing attack, and use that for further training if necessary. Bristol City Council recently sent a wave of spoof phishing attacks to their own colleagues, sending those who clicked on the link to a targeted training site.
Frequent reminders like posters which can be displayed prominently in an office alongside health and safety notices, or specific company emails, both of which can be used to cover subjects like what a suspicious email looks like, how to verify links, and the importance of a secure password.
The key with any form of awareness training is to keep it frequent. At the moment, just 11% of organisations continuously train employees on how to spot cyber attacks, according to global research from Vanson Bourne. 52% perform training just quarterly, or once a year.
But annual training means that a new member of staff could go for over 11 months without any form of security training, hugely increasing the risk of them accidentally clicking a malicious email, or worse.
The speed at which attacks evolve means that continuous training is the best way to keep employees up-to-date with what to look out for, as well as embedding cyber awareness into the company culture.
Who takes the initiative?
Security awareness training reduces the likelihood of employees falling victim to a cyberattack, yet which employee is responsible for organising the training? Such initiatives have been known to fall between the scope of several roles, with CIOs, IT managers, and even human resources known to pick up the mantle.
IT managers are understandably most enthusiastic about security awareness training, as they are well versed in cyber threats. They are burdened with at least a portion of responsibility in the event of a breach, and so typically are the people pushing for training to be deployed. But in most organisations they are overshadowed by a CIO who has one eye on a stretched IT budget.
Senior business managers may be resistant to training, since their employees' schedules would be disrupted. Though training does initially hamper productivity, in the long run eliminating security threats ensures a higher level of productivity. Needless to say, business managers usually play no more than a side-role in introducing training.
For security to be given the attention it deserves at employee-level, it must be managed by the board. In the present day, CIOs are frequently given a chair at the top table in order to keep C-suite members aware of security issues and compliance risks. By acting as a bridge between IT managers and those at the top, the CIO can ensure the board of directors takes security seriously, going a long way to bolstering the security training programme within an organisation.
In all, the CIO would typically be responsible for bringing a security awareness program to the board, but for it to be successful, all within the organisation must buy-in to the initiative.
