Exposing employees to the security threats that exploit businesses, seemingly weekly these days, can help companies protect themselves against those threats. This blog will present the importance of security training, options, and resources, and the frequency that training should be provided.
What is Security Awareness Training?
Security awareness training is the process of providing information related to the tactics that hackers take that could compromise the security of a company’s and its client’s data. A company’s security awareness program should identify those policies and procedures related to information awareness and the controls in place that employees are required to follow. Finally, information awareness training should identify the security officer and contact methods available if an employee notices anything suspicious or has questions.
Why is Security Awareness Training Important?
Many times, the most vulnerable area of a company is the lack of understanding of potential cybersecurity threats by employees, including upper management. To combat those threats, it is important for companies to establish a security culture that takes threats seriously and promotes systematic processes that teach people how to protect the information they work with every day. Additionally, having security awareness training policies and procedures in place, are an essential tool used to satisfy security audits.
What Types of Threats Should Security Awareness Training Cover?
Security awareness training should cover topics such as securing data; email, phishing, and messaging; encryption; insider threats; mobile device security; passwords; physical security; malware; tone at the top and leadership; social engineering; social networking; and Wi-Fi security. In case you are not sure what these things are, SANS Institute, which is a cooperative and research organization, has created a page used to define security awareness terms.
What Are Some Security Awareness Training Options?
Depending on the services provided, industry, size of the company, and budget can dictate the training that makes the most sense. Regardless of the factors your company is facing, there are plenty of options out there that can satisfy the needs of each company.
- Udemy Cybersecurity Awareness Training: Udemy is a global marketplace for learning and teaching courses taught online by expert instructors. Some things you will learn in the 38-minute video are: choosing a password that is difficult to hack but easy to remember; using two-factor authentication on Facebook, Twitter, and Google; the risks of installing third-party desktop applications in social network accounts; and spotting malware, spyware, ransomware, spear phishing, and social engineering scams.
- CYBRARY End User Security Awareness Training: Cybrary is another online learning tool with the mission of providing educational resources to anyone who is interested. All Cybrary courses are free to users. This hour-long course will help users implement data security best practices.
- SANS Security Awareness Training for End Users: SANS Security Awareness Training is designed to help companies comply with security audit requirements, teach positive security habits, and help mitigate risks associated with security threats. “Interactive learning is a key focus of SANS security awareness training content and focuses on getting learners to both ‘know’ and ‘do’ the right thing at the right time with accuracy and consistency.” This security awareness training provides 48 different modules that companies can choose from with content that is updated regularly. SANS Security Awareness Training also has another option – Phishing Awareness Training. This option is meant to provide employees within an organization with actual templates and technologies that are currently used to expose threats via phishing attempts. This allows an organization to provide additional assistance to those who fall for the phishing attempts.
- KnowBe4 Security Awareness Training: KnowBe4 is a training program that enhances the awareness of security threats by providing tools to simulate attacks on employees. KnowBe4 provides its customers with baseline testing to help clients understand security weaknesses that exist so that training content picked can address those weaknesses. Once the content is chosen, KnowBe4’s modules focus on helping users understand the “mechanisms of spam, phishing, spear-phishing, and social engineering.” KnowBe4 also has additional free tools such as phishing tools, security awareness tools, password tools, email security tools, and malware tools. These tools are meant to be used in conjunction with their modules.
- The Security Awareness Company: The Security Awareness Company creates training programs for companies based on their needs. Additionally, they have modules for different compliance standards such as HIPAA and PCI. The Security Training Company believes that success requires the following steps:
- Training modules provided frequently.
- Providing the same message in different ways.
- Providing messages that are relevant to everyday life.
- Making learning fun.
- Finally, the Security Awareness Company’s mascot, The Security Cat, has a number of free security messages, just like the one below!
Are There Any Other Security Training Resources?
You are in luck! There are a number of podcasts that provide security-related information to listeners. Follow the links below for more information.
- Security Weekly: “Security Weekly is a security podcast network for information security professionals, by information security professionals. They produce a lineup of shows for the security community, completely free.”
- State of Security: This article provides links to a number of podcasts about information security. Some of the podcasts include: Take 1 Security Podcast, Brakeing Down Security, Data Driven Security, Defensive Security Podcast, Down the Security Rabbithole, Exploring Information Security, OWASP 24/7, Paul’s Security Weekly, Southern Fried Security Podcast, SANS Internet Storm Center Podcast, and Security Current Podcast. Additional podcasts can be found at the link above.
How Often Should Security Awareness Training be Held?
The more often a message is communicated to users the better chance that message is received. Many security standards require that security training is provided to staff at least annually, but many of the security training options are moving toward a more interactive and continuous approach. Since the cost of a security threat being exploited can be extremely high, it is imperative for a company to properly plan a training program that fits the risks that the company faces. Most of the security training companies provide assistance with planning a security program that fits their needs.
How Do I Create a Security Awareness Program?
The best method of creating a security awareness program is to first define who needs to receive end-user security awareness training. Depending on the knowledge of security-related topics, individuals may require the need for a more elementary or advanced type of training. For example, if most of the workforce is in sales with limited IT knowledge, something fundamental would likely be more beneficial. If the workforce is developers, something more advanced in addition to security-related seminars may be more beneficial.
This should make it clear that there really is not a one fits all type of program. With that said, the important part of a successful program is to outline defined requirements to employees based on security requirements and contractual obligations. The other important aspect is keeping employees engaged. The more a company can make security interesting or at a minimum engaging to their level of expertise, the more likely they will take it seriously. The other important aspect of making a security awareness program successful is making sure ALL employees and contractors, including management, are also required to fulfill IT security awareness training requirements.
How Effective Is Security Awareness Training?
The effectiveness of security awareness training depends upon multiple variables including the culture, tone at the top, relevance, and engagement of personnel. Each year our company works with hundreds of different organizations. While most have a successful information security program more or less, there are some that take it more seriously and it is reflected in their organization, continued training, and enthusiasm for success.
First, having an organized program and process is the first key to a successful IT information security training program. An organization should understand how often they expect training to occur or be completed, how to track whether employees have completed training, and finally using the tracking mechanism to ensure completion is completed. If employees understand that IT security training is important to an organization, completion rates will increase.
The next element is continued training. While most organizations provide employees with information security training at least annually, adding some additional hands-on training such as a phishing campaign can keep information security topics in mind. Additionally, phishing is a real threat that occurs most often in all industries. Having phishing campaigns exposes employees to these threats so it is less likely an organization will be exploited if they receive a real threat.
Additionally, it introduces employees to those who are in charge of security at an organization. As a result, this builds a relationship so that if other things come up, they know who to contact. Finally, enthusiasm can be one of the single most important variables in implementing effective security awareness training. If management and the culture of the organization take information security as a concept seriously, that alone can make its effectiveness higher. Everyone needs to be on board and its importance needs to be a shared responsibility.
Security awareness training has become an extremely valuable tool that companies can use in combating against security risks. The human factor is a major aspect of protecting your business. Human behavior can make or break a hacker’s attempt at exploiting company information. Knowing your options to mitigate those risks based on company variables is the first step.
Finally, as mentioned earlier, having a security awareness program in place is generally a requirement for SOC 1 and SOC 2 reporting, HIPAA, and FedRAMP. This blog will provide those who are going through the process with the resources needed to successfully implement a program that meets the needs of the company and will help raise awareness of threats that make your company vulnerable.
For more information on security compliance and training check out the following Linford & Co blogs:
- Stay Tuned Up with Security Resources: Center for Internet Security
- Increased Need for Information Security Governance
- Continuous Monitoring – An Introduction
- Implementing a Successful Patch Management Process: Don’t be the Next Equifax
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is currently a manager with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.