The World Economic Forum in their latest report, “The Global Risks 2019” puts cyber-attacks and data theft into the “higher than average likelihood” bracket during 2019.
To achieve these record levels of data breaches and cyber-threats, cybercriminals are focusing their attention on the manipulation of human behaviour. There is no longer a question over the part that humans play as vectors in cybercrime; The internet has opened a Pandora’s box servicing the cybercriminals’ in their malicious actions, using our employees as pawns.
So how do we counter these threats? The 2019 report from Verizon on data breaches (DBIR) had a poignant conclusion:
“The most important defense is knowledge.”
With this in mind, how do we train our employees to be security aware and to become our front-line defence against the spectre of cybercrime?
The Security Awareness Training Process
Security awareness training is not a point event or solution; it is a process. Security awareness comes out of a series of ideas, thoughts, and preparations that are used to develop a holistic security awareness training programme. Here we have a look at some of the fundamental areas that you should have on your security awareness training checklist:
Identify your needs
This may seem obvious but knowing what you need and want is a first step to making sure the programme is successful.
A good security awareness training package can be modified to reflect your company and industry needs. It may be that you need to adjust the program for individual departments. For example, the crime of Business Email Compromise (BEC) may be more likely to impact the people at C-Level and those in the accounts payable department. Whereas, email phishing is likely to affect everyone; therefore, a general package that trains employees on how to spot the signs of phishing, as well as simulated phishing exercises, will be needed across the organisation.
Covering relevant topics
Topic choice is very important when building your security awareness campaign. Choices to consider include:
- Phishing– in all of its forms. Being able to spot the tell-tale signs of phishing scams is a key topic on the security awareness list. Phishing is still the number one way that malware ends up on a network. But to train a diverse group of individuals across an organisation needs a diverse training package. Education works best when you actually do it. Use a training package that offers “live through” moments. Your employees can feel what it is really like to be on the receiving end of a phishing attempt. Taking them through the process, for real, will make the training more memorable and more successful. Don’t rely on non-interactive video training. Get your employees involved in the nitty-gritty of cybersecurity and what it feels like to be scammed.
- Security hygiene– employees should be taught about security hygiene. This should reflect your general security policy. It will include areas such as password sharing and having a clean desk (e.g. not leaving sensitive information lying around).
- Being safe online– teach your staff about safe-surfing. This typically includes: checking a site is secure before entering login credentials or other data; disabling pop-ups; being cautious about downloading apps.
Get company buy-in
Any relevant and interesting security awareness program must have buy-in across your organisation. The tone for cybersecurity comes from the top. Begin by engaging your board with the general subject of cybersecurity and show them how security awareness training is a fundamental part of fighting cyber-threats.
Security awareness should be an integral part of your company security policy. When you get department level buy-in for security policy requirements, you can build in security awareness training acceptance too.
If possible, get your marketing and personnel department involved in delivering the package. Even if it is just to create internal communications around the use of security awareness training. The use of posters, email campaigns, newsletters, etc., can be a useful aspect of making security awareness an everyday part of corporate life.
Mix it up
Make sure that the security awareness training package you chose has been designed to be interactive, fun, and engaging. Becoming security aware can be a very personal experience. Some people work best under exam like conditions, others need to have simulated real-life situations, whilst others like a more game-like environment to learn in. An awareness program that can offer a diverse learning experience is likely to be more effective in a diverse environment.
– Watch our hilarious security awareness training –
Rinse and repeat
Cybercriminals never sit on their laurels. Their efforts are always changing, and they up their game as needed. We have to do the same to keep on top of cyber-threats. Security awareness training is not a check box system. It has to be used as an ongoing process, as new threats emerge, new phishing campaigns target your industry sector or as new internal processes come onboard, you should aim to refresh the awareness training program. Training should be frequent and updated as required. Security awareness should become a mindset.
Get on Board the Security Awareness Train to Become Cyber-Safe
Employees are at the forefront of cyber-attacks for the simple reason that cybercriminals see them as low-hanging fruit. Security awareness training pulls the rug from the cybercriminal by ensuring our staff understands how they operate and the tricks they use. As Verizon noted, knowledge is the best form of defence, we can give our employees this knowledge using relevant, diverse, and interactive security training packages.
Want to learn more about empowering employees with security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.