In the 2018 “Security and Privacy Awareness Report”, 75% of respondents struggled to identify best practices related to cybersecurity and data privacy, with 14% of employees lacking the ability to correctly identify phishing emails. Even more so, in the 2019 “Beyond the Phish” report, 25% of employees struggled to identify phishing threats and protecting data throughout its lifecycle. One fourth of users may seem like a low number (that means 75% can identify phishing messages, right?), but unfortunately, it only takes one phishing email to compromise a system and if 1 out of every 4 users are clicking when they shouldn’t, that is a lot to worry about.
Cybercriminals continue to focus on people and build their attacks to take advantage of unaware and unprepared users. In fact, according to a recent CIO survey, 51% of cyberattacks happen due to a lack of security awareness.
Security awareness training is one of the most cost effective ways to strengthen your information security program, and clearly the need to improve awareness around information security and privacy still exists, but what is the best way to do this? How often should an organization deliver security awareness training? Should training be only recommended or should it be mandatory? And, is there such a thing as too much training?
When we discuss this with customers across the globe, the answer seems to vary. Most often, organizations are delivering security awareness training annually. For some, it is required. For others, training is offered on more of a voluntary basis. The key is to find the balance between making employees adequately cautious/skeptical without damaging their ability to effectively carry out job responsibilities or lowering employee morale. Effective training should focus on helping users identify risky situations and be hyper vigilant in their response.
One of the ways to do this is to make sure training is relevant for users in their daily operations. It should pertain to the technologies they are using and the threats they are likely to encounter. For example, in the higher education sector, more focus should be given to specific threats like student accounts, ACH payments, email compromise, etc. Teaching users about different attack methods and techniques that may be common in their environment can help them understand not only how threats work, but also how their behavior can help combat and prevent these attacks. The more relevant the training is to users in both their professional and personal lives, the better it will resonate and the more likely it will be retained.
It is also important to keep security awareness in front of users throughout the year. Individuals learn better with repetition, so although annual training is great for meeting specific compliance requirements, in reality, security awareness should be constant. Complement your annual online training with a defined schedule of shorter bursts of training (via various formats/media listed below) containing valuable information and fresh content. Users are more likely to remember what to do if they have recently been reminded what the correct action is. Many times those responsible for the awareness program are so familiar with the content that they worry that the information is either too much or will be considered overkill/not necessary. What they tend to forget is that most of the users that take the training aren’t reading about or reacting to security risks daily like they are, so these employees do need reminders regarding new security threats from time to time.
Establishing a schedule for educating your users will help your organization deliver a more consistent message and allows subsequent communications to build on previous ones. Develop a year-long calendar and break it down into quarters in which you are focusing on specific areas of your program. Building this ongoing culture of awareness will also help employees to understand why training is so important, and they will start to appreciate the new content and the education you are providing them, versus complaining about additional training hours. It is important to make training interactive and engaging, and you can even find ways to make training fun (yes, we said it).
Below are some suggestions to build into your current awareness programs:
Create a monthly newsletter that highlights new happenings, share recent stories, or focuses on a specific topic each month. Try to make these topics connect to real-life best practices that users can relate to. For example tips on using mobile devices securely, how to use a password manager, etc.
Have members from your information security team rotate and post monthly blogs on new or intriguing cybersecurity topics. The important thing here is to keep the content fresh so users want to continue to check in on your pages. Utilize social media like Facebook and Twitter to remind users of new or updated posts. You can also link to other articles or guidance documents from well-known sources or experts.
Hanging some visual reminders in high traffic areas can help reinforce key learning points. You could also potentially enlist the help of student groups to host a contest for poster design.
There are also various free training videos available that you can post on social media or share with your users to help keep the conversation going and convey information in a short time frame.
Host monthly meetings or “Lunch and Learn” sessions. Bring in a speaker from another department on campus (there are probably great faculty resources!) or invite a local expert. Don’t forget the donuts. People will come to almost anything for food!
One of the most innovative games we have run across lately was a Cybersecurity Escape Room developed by the University of Nebraska. People enjoyed participating in this educational game where key concepts were reinforced through the different puzzles and brain teasers. You could host a scavenger hunt, or a trivia night that pits different departments against each other. And be sure to check out the new CampusGuard Information Security Bingo game we created for National Cyber Security Awareness Month. If you would like the full game card set, contact your CRM.
Sending test phishing messages is a great way to measure program effectiveness and get users in the habit of carefully reviewing messages, reporting suspicious messages, etc.
Develop an incentive program that rewards people who participate in activities, do well, or who report potential phishing messages or security incidents. This can be either through public recognition, or by providing small gift cards, rewarding a department with pizza, etc.
Do you have other ideas or tools you have built into your current programs? Please share these with your dedicated CRM/SA Team and your organization may be highlighted in a future newsletter.
Security awareness training is important to help staff identify and respond accordingly to potential risks and threats. Building a well-established security awareness program does take work, but having this ongoing program in place will not only increase the number of threats that are prevented or mitigated before they cause any damage, but it will help to minimize damage that can occur following a data compromise or breach.
Additional guidance from our Customer Relationship Manager team below:
[Seguy]: “You ARE the weakest link!” Even with all of the technology that our customer’s IT departments work so diligently to install and maintain, there are none available that can stop a human from making a bad decision. The best you can do is to make educating your staff about on-going threats and risks to the organization a priority. Robust, annual training combined with recurring reminders keep this important topic in front of them and provides you with an avenue to keep the lines of communication open. This continued awareness and education will provide staff with the data they need to do exactly what we want them to do when potentially facing a breach – make the educated decision and avoid a mistake.
[Johnson]: Use compliance requirements (and fines) as validation to gain executive support for enforcing training requirements. Even if you can’t “require” users to complete training, perhaps you can gain management support for including training completion transcripts as part of annual performance metrics or within employee reviews. The security mentality of the executive level leaders does directly impact the security awareness of employees organization-wide. If leaders are not committed to improving security awareness, it will be difficult to implement and enforce policies around training.
It is important for senior level leaders to also participate in training exercises. Executives are often excluded from training requirements, but in reality, they have more authority, access to other key players, and access to the most sensitive data within an organization, so they are probably the ones that need training reinforced the most.