Cybersecurity isn’t just about technology, it’s also about people, and strengthening the people side of the cyber equation means building a culture of security awareness. That’s why more and more organisations are turning to security awareness programmes.
The name says it all. The goal is to raise understanding of security risks across the organisation, ensure people are clear on company security policies, and equip employees with native awareness of what breaches and attempted breaches look like when they land.
An effective security awareness program is a way to ensure that everyone at your organisation has an appropriate level of know-how about security – and takes on a level of personal responsibility. Here’s what they look like in practice.
Security awareness is fundamental to security posture
When developing a company security posture the first line of defence should be your workforce, maximising people’s risk awareness and building self-awareness about what they need to do every day to avoid being a weak link.
After people comes detection – which also depends on people, working in alignment with the IT systems designed to flag up an attempted breach. Controls are the third line of defence, defining how well you’ve embedded security best practice into working processes and procedures.
In order to strengthen all three pillars, security awareness programs need to emphasise training and exercises that reinforce the idea of cyber security as a collective responsibility – not just something handled by IT.
How are security awareness programmes structured?
Every organisation has a different threat profile but there are common risk categories you can use as a foundation for planning:
Everyone in the business should learn how to spot phishing attempts and the dangers of clicking links or opening attachments from email senders they don’t recognise. Remember that email isn’t the only mode of attack. Simulations need to be run across all the relevant threat vectors, so using SMS, social media, and even voice – as some attempts at phishing and social engineering happen by phone.
Employees need to understand the main types of malware, what they are capable of, and common signs that a file, device or application may be infected. Users should learn how to spot malware and be clear on what to do if they suspect a device has been infected.
Awareness of the importance of strong passwords is growing and prompting employees to change their passwords on a regular basis is embedded practice in most organisations, but training on password security remains important. Passwords are the basis for access to key information assets and IP so the risks related to reusing passwords, using simplistic 1234 passwords, or not updating passwords when prompted aren’t forgotten.
When should you do it?
Security awareness training should be ongoing and conducted at regular intervals throughout the year.
That doesn’t have to mean the expense and disruption sitting everyone down in a classroom and working through a textbook curriculum. That teaching mode may still be effective in some limited circumstances, but by and large, the practice of delivering security training has evolved and improved.
Teams can undertake training online, at a time and place that’s convenient for them, and go though it in bite-sized modules that focus on scenarios – placing the person in a real-life attempted breach situation that they might actually face at work.
This approach is a major improvement on rote learning that measures a person’s normal reactions and creates teachable moments. It’s a much more effective format that boosts retention and helps individuals develop an instinct about cyber risks when they appear.
Security awareness means security training
Building a security-aware culture is never a one-and-done activity. When new hires start, it’s vital that they receive training to embed security awareness and understand from the off that your organisation takes cyber security seriously. Current staff need to be reminded of the threat environment or brought up-to-speed on how its evolved. Managers and directors have to be part of the process as well, to ensure that they are leading by example, but also because senior executives are a prime target for hackers.
Regular security training conducted in scenario-based modules will help keep cyber risks and what to do about them top of mind. Building a security awareness programme is an ongoing process that you will need to be updated from time to time as the threat environment evolves and your organisation grows or changes.
Want to learn more about security awareness training for your employees? Why not sign up for a free demo and find out how we’re already helping organisations just like yours.