Security awareness training – a guide for businesses

I could take pretty much any week in the last 3 years and pull out a news report highlighting a major cybersecurity breach. Just picking a few at random at the time of writing, there was a report on a phishing attack at a US hospital that affected 13,000 patients, a malware campaign whereby 210,000 routers have been infected with malware, and over £10 million stolen from Indian bank, Cosmos using malware-infected ATMs. This is just the tip of the cyber iceberg. The Breach Level Index, which collates reports of data breaches, records almost 5 million data records stolen every day.

Cybersecurity threats are now a way of life and we have to build their impact and mitigation into our business plan.

As a response to the, seemingly overwhelming and ever-expanding list of cyber threats that all businesses now face, the discipline of security awareness training has entered the frame. This article will give you an overview of why, and how, security awareness training, can and should, be applied in all enterprises no matter what size.

Why use security awareness training?

Our emails are awash with phishing. According to a report from Verizon, users are still opening phishing emails and still clicking on the malicious link inside. The loss of the patient data in our example above was caused by an employee clicking on such a phishing link. The Verizon report points out that one-fifth of data breaches are caused by human error. Security awareness training puts human beings at the centre of cybersecurity threat mitigation.

In fact, one of the key findings of the Verizon report is to:

“Make people your first line of defence”

We have a variety of technologies and tools to help us manage cyber threats, yet cybercrime statistics keep on shocking us. In 2017, cybersecurity attacks doubled – despite there being state-of-the-art technologies and multitudes of well-established and start-up cybersecurity companies, worldwide. This is because cybercriminals use human behaviour as part of their attack method. Security awareness training addresses the human-centred nature of cybercrime. The focus of security awareness training is on the human element of cybersecurity. And, after all, it potentially only takes a single person to click on a spoof link to lose your customer data records.

The 5 Pillars of Security Awareness Training

“It’s training, Jim, but not as we know it”

The clue is in the name, “security awareness training”. But, good awareness training takes the idea of “training” to a new level. There are a number of pillars to a great program of security awareness, these are:

1. Know your enemy: Intelligence about cybersecurity is a key part of the training program. Programmes of training involve education about current cybercrime activities and they keep your employees and your organisation up to date with trends and patterns of malicious behaviour.

2. Measure by measure: Metrics are your friend when running a security awareness training. Good programmes give you measured feedback which can be used to adjust and optimise your training. For example, metrics give you an idea of where people are making mistakes, so you can focus attention on those areas. They are also very useful in justifying the use of security awareness training as you can demonstrate progress.

3. Good gamification: Cybersecurity can seem like a very dry subject for employees. Gamification is used throughout the digital world to engage people and encourage them to perform certain actions. In fact, cybercriminals will also use the basic instincts that gamification is based on – for example, “click this link to earn rewards!”. Security awareness training can apply the ethos of gamification in a similar manner: For example, reward users when they show good security behaviour; create engagement and improve communications with trainees.

4. Here, phishy, phishy: Security awareness training is about recognition. Being able to spot what a malicious email looks like is half the battle. Simulated phishing is an integral part of the overall training programme and needs to be as diverse as your workforce. You should also be able to tailor the types of phishing to your business, so it more closely reflects the latest phishing trends in your sector.

5. Security by second nature: All of the above leads to the ultimate end which is the creation of, and continuation of, a positive culture of cybersecurity. Your staff, at all levels, should have security by second nature as part of their unspoken job description. Cybersecurity impacts everyone. If it affects a company’s reputation and their financial bottom line, it could cost jobs. It is in everyone, from board level downwards, interest to make sure the organisation is a safe place.

What do stakeholders want from security awareness training

Security awareness training is something that needs to be holistic in its application and in its acceptance. The stakeholders of an organisation may likely have their own take on why the programme needs to be implemented and what they want out of it.

• CEO: As the head of the company the CEO needs to know that their business is safe and secure. The CEO will be able to see, first hand, how the business copes with a phishing attack when security awareness training is implemented. Using the information provided by feedback and metrics, improvements in security awareness across the organisation will also be apparent.
• Head of Information Security/IT Director: Any security professional within an organisation has an uphill struggle in keeping up with ever sophisticated cyber-attacks. CSO’s and CISO’s are integral to the effective implementation of a programme of security awareness.
• Finance Director: As always, the CFO will want value for money. You can show the issues within the cybersecurity landscape using data from the likes of Gartner and Verizon. And, you can also show the success of the programme using metrics.
• Line Managers: Staff on the frontline of a business area are great for helping to tailor security awareness experiences for their staff. Engage them in the programme to get feedback about metrics on their personnel.
• Employees: Security awareness training is a way to manage user behaviour and reduce human error but the last thing you want to have happen is user pushback. Keep the programme relevant and as much fun as possible. If you can add elements of gamification to the process, do so. And keep it as an ongoing exercise, but in bite-size chunks to prevent fatigue.

What to look for in security awareness training

Here’s a quick guide to what to look for when deciding on the right security awareness training programme for you:

1. Was it designed by security professionals with deep knowledge of the issues?

2. Does it use engaging and interactive outlines?

3. Does it provide ongoing and easy to understand metrics?

4. Does it offer phishing simulations based on real-world scenarios?

5. Is it easy to setup, configure, and manage?

6. Is it cost-effective?

What to ask a potential security awareness training provider?

When choosing a provider for your security awareness training you should plan out a list of pointed questions to make sure they fit your needs.

1. What level of support do they offer – is it ongoing throughout the lifecycle of the training?

2. Has the training been independently accredited, e.g. by GCHQ as part of the National Cyber Security Programme?

3. Can they advise on how best to interpret metrics and how to use them to optimise the training programme?

4. Do they have experience in your specific industry?

5. Do they have any recommendations from other clients and case studies?

Getting your training program up and running

Hopefully, this short guide will give you a flavour of what to expect from a security awareness training programme. Understanding what benefits such a programme includes how to extract the most from security awareness and the trainers providing the service. Asking the right questions and finding the right training provider for your organisation should result in a knowledgeable and switched on employee base that builds a human wall against cybersecurity threats.