Despite all the security hardware and software used in your organization, one of the most important factors in data security is human behavior. Uninformed users can jeopardize an entire system, oftentimes unintentionally, simply by clicking on a misleading link or downloading a malicious file. In the following Q&A, we discuss the need for security awareness training, identify some key items to include within it, and suggest methods to highlight data security awareness between training sessions.
What is security awareness?
Security awareness is a combination of the knowledge employees have and the steps they take to protect your organization’s computer equipment and the information on it.
Why is security awareness training critical?
Security awareness training is necessary to help users identify threats to information security and take proper action in response. All users need to know how to protect against threats and stay up to date on the latest types of attacks.
Security experts say if you can make it difficult enough to break into your systems — to the point where it would cost attackers more time and energy than they’re willing to put in — then the attackers may pursue easier, more susceptible targets. Staff training is the key to making things difficult for hackers — and protecting your organization by not being the low-hanging fruit.
Who should take security awareness training?
Every user in the organization should take security awareness, training regardless of experience or role. The internet, and information technology, change constantly, and threats grow and evolve every day. This makes up-to-date training critical for everyone who has access to the organization’s systems and data.
What are the recommended methods for training?
Methods for training security awareness include classroom-based, web-based, exam/certification-based, or a combination of the three. No method is inherently better than another — what’s most important is that your training is well designed and engaging to users.
What should security awareness training include?
Training should provide a full understanding of why security awareness training exists, specific types of threats to watch out for, and what to do when encountering suspicious activity.
While each organization has unique training needs, most security awareness training covers some or all of these common areas:
- Physical security of computers and peripheral devices
- Password etiquette, including the dangers of weak passwords and sharing passwords
- Phishing attacks, social engineering, and suspected malware
- Attaching unprotected devices to the network (which can be infected while not connected to your organization’s network and infect other devices when they reconnect)
- Incident response and how to limit the damage from cyberthreats
- Mobile device security including phones
- Wireless security
While this list may seem overwhelming to your training department, the good news is it’s not necessary to start from scratch. To keep costs reasonable, there’s plenty of information available in preexisting training programs that can be tailored to your organization’s needs.
How often should security awareness training be conducted?
Formal security awareness training should be part of every new employee’s orientation and then supplemented with ongoing refresher training to address new threats and keep security awareness front of mind in the organization. We recommend doing refresher training as needed, but at least annually.
Is there anything the organization should do between formal training sessions?
Yes. Between training sessions, we recommend you periodically update staff on emerging trends and best practices and what steps to take if they identify a threat. These reminders can be sent through emails, blogs, newsfeeds, or even via posters around the office.
We also recommend doing ongoing “real-world” testing of security awareness through simulated threats sent to users with the goal of checking on adequacy of response. This keeps staff alert to threats and ensures your security awareness program is working as it should.
What happens if someone makes a mistake?
Even with good training, refresher courses, and regular audits, mistakes can still happen. When they do, IT and the training department should work together to figure out what happened, why, and what needs to be done to prevent a recurrence. Remedies range from one-on-one coaching with IT, awareness campaigns, gamification or incentives, or aligning management to provide the resources and support.
After all is said and done, it’s important that employees don’t feel intimidated to the point they’re afraid to report things out of fear they’ll get in trouble. If someone mistakenly clicks the wrong link or downloads a bad document, you want them to report it so the experts can respond quickly. Always remember the goal is to get staff on board with the organization’s cybersecurity program.
It’s also good practice to encourage good behavior by providing incentives. Did a staff member perform exceptionally well during a training or testing exercise? Did he or she follow proper procedures by not clicking on certain links or by reporting suspicious activity? Perhaps a gift card or prize of some sort is in order.
Companies can develop a game or reward programs to encourage key behaviors such as identifying reporting phishing emails, preventing tailgating (when someone tries to follow another person through a secured door without authorization), or reporting suspicious activity. There are various status levels or badges that can be achieved where staff are rewarded with points for performing key behaviors and can redeem those points for prizes like gift cards or company swag. Staff may be enticed to participate in these games as a friendly competition with other staff especially if the points and status levels are shared or publicize for all to see. Rewarding good behavior improves morale and helps spread security awareness through word-of-mouth.
In summary
The overall strength and effectiveness of your organization’s IT security infrastructure is only as strong as its weakest link — usually your people. The strongest firewalls and security are no substitute for regularly trained and informed staff.