For the past 15 years, American wireless network operator Verizon has reviewed the cybersecurity landscape. The 2022 Verizon Data Breach Investigations Report (DBIR) found that 82% of breaches involve a human element. The report concludes that “people continue to play a very large role in incidents and breaches alike.”
Cybercriminals want an easy way into a company network, and the easiest way is not to hack into a server but trick an employee into opening the door.
Security awareness training is a measure to educate an employee not to open that door.
What is security awareness training?
Security awareness training educates employees and other business associates about cybersecurity attacks, poor security behavior, and how they could compromise an organization. In addition, the training focuses on how poor security behavior leads to data breaches, infection by malware, or other security issues.
Training modules typically consist of interactive videos, quizzes, and games. In addition, these training modules are often augmented with phishing simulation exercises.
If done well, security awareness training can help minimize cyber-attacks against a company. It also builds a ‘security-first’ attitude amongst the workforce that leads to a ‘culture of security’ where security is seen as an essential part of everyday working (and home) life.
Many companies offer security awareness training. Two of the most well-known are Proofpoint and KnowB4. Many of these companies provide the training modules through a managed service provider (MSP) who can help design and deliver the training materials and phishing simulations.
Why carry out security awareness training?
Our employees, contractors, third-party vendors, and so on are a target of fraudsters and other cybercriminals. Every possible channel into an organization is an attack point, and the person at the end of that channel is the focus. Phishing is the most popular method to begin a cyber-attack. Phishing is used across multiple channels, including email, voice, and mobile messages. According to the Proofpoint “The Human Factor 2022” report, over 100,000 Vishing (phone phishing) attempts per day. In addition, Proofpoint recorded 20 million monthly messages that contained a ransomware threat.
It is not just employees that are in the sights of cybercriminals. The broader supply chain is increasingly used to circumvent security by going after employees of vendors. The Proofpoint report found that 80% of businesses were attacked through a compromised supplier account.
A KnowB4 report, “State of Privacy and Security Awareness,” shows that security awareness training works. For example, the report found that training employees at least once per month improved an employee’s understanding that if they click on a suspicious link or attachment, it may result in a cyber-attack.
How do you carry out security awareness training?
Security awareness training is a process. A security awareness program is usually designed by a specialist company, such as an MSP, working alongside an organization’s IT or security team. This collaboration is essential as different industries suffer from different cyber-attacks, so the educational material must reflect this. This tailoring of security awareness training also extends to the various roles in an organization. For example, Business Email Compromise (BEC), where a fraudster attempts to defraud an organization out of large sums of money, often involves targeted attacks against a CEO and folks in accounts payable.
There are, however, some key elements that lead to successful security training:
Plan out your areas of focus based on attack types and security behavior
Base your security training on typical attack types that targets your industry sector and specific roles in your organization. For example, staff that has privileged access are more likely to be targeted with spear-phishing emails.
Poor security behaviors such as password sharing should be included in the training. A recent Google survey into this behavior found that 62% of people reuse passwords, and 34% of employees share passwords with co-workers.
Make sure everyone understands why the security awareness training is important
The entire organization must understand why the training is being carried out to ensure it is successful. Everyone, from the board down, must be prepared to be part of the training program.
Fit the training to the role
Specific roles in an organization attract more cyber-attacks than others. In addition, certain roles are targeted for specific types of attacks, such as the BEC scams mentioned above. Proofpoint calls these types of employee roles a Very Attacked Person™, or VAP. A Proofpoint survey looking at VAPs found that R&D, engineering, and marketing/PR support faced the most significant overall risk from email-based malware and phishing attacks.
Use best-of-breed security awareness training
Choose a security awareness company that has a behavior-based approach to training. Make sure they provide training modules that can be configured to fit your organization’s needs. These training modules should use techniques such as gamification to engage employees with the training. The modules should also offer interventional education so that employees get immediate feedback on risky security behavior and how to modify that behavior to prevent a cyber-attack or expose data.
Provide tailored phishing simulations
Alongside traditional education methods such as interactive videos and quizzes, simulated phishing platforms should be used to teach employees how to spot phishing emails. These platforms typically have templates that allow your organization or MSP to create realistic-looking simulated phishing emails. These emails are then sent to staff to test their awareness of phishing and teach them how to respond if an actual phishing email is in their inbox.
Use metrics and reporting to optimize the security training
Metrics and reporting should be an integral part of the training package. Metrics can be used to adjust training modules individually and to help spot employees who are not engaging with the training effectively. In addition, advanced security awareness training systems will provide comprehensive but easy-to-digest reports that can demonstrate a Return on Investment (ROI) to justify the training to management.
Security awareness training is an important baseline measure to help minimize the impact of the large volume of employee-centered cyberattacks. This training also helps prevent employee mishaps that lead to data exposure or accidental, unauthorized access. As well as avoiding a cyber-attack, security awareness training also helps with compliance with several data protection and privacy regulations, including ISO27001 and HIPAA.