Exposing employees to the security threats that exploit businesses, seemingly weekly these days, can help companies protect themselves against those threats. This blog will present the importance of security training, options and resources, and the frequency that training should be provided.
What is Security Awareness Training?
Security awareness training is the process of providing information related to the tactics that hackers take that could compromise the security of a company’s and it client’s data. A company’s security awareness program should identify those policies and procedures related to information awareness and the controls in place that employees are required to follow. Finally, information awareness training should identify the security officer and contact methods available if an employee notices anything suspicious or has questions.
Why is Security Awareness Training Important?
Many times, the most vulnerable area of a company is the lack of understanding of potential cybersecurity threats by employees, including upper management. To combat those threats, it is important for companies to establish a security culture that takes threats seriously and promotes systematic processes that teach people how to protect the information they work with everyday. Additionally, having security awareness training policies and procedures in place, are an essential tool used to satisfy security audits.
What Types of Threats Should Security Awareness Training Cover?
Security awareness trainings should cover topics such as securing data; email, phishing, and messaging; encryption; insider threats; mobile device security; passwords; physical security; malware; tone at the top and leadership; social engineering; social networking; and Wi-Fi security. In case you are not sure what these things are, SANS Institute, which is a cooperative and research organization, has created a page used to define security awareness terms.
What Are Some Training Options?
Depending on the services provided, industry, size of the company, and budget can dictate the training that makes the most sense. Regardless of the factors your company is facing, there are plenty of options out there that can satisfy the needs of each company.
- Udemy Cybersecurity Awareness Training: Udemy is a global marketplace for learning and teaching using courses taught online by expert instructors. Some things you will learn in the 38 minute video are: choosing a password that is difficult to hack but easy to remember; using two-factor authentication on Facebook, Twitter, and Google; the risks of installing third-party desktop applications in social network accounts; and spotting malware, spyware, ransomware, spear phishing, and social engineering scams.
- CYBRARY End User Security Awareness Training: Cybrary is another online learning tool with the mission of providing educational resources to anyone who is interested. All Cybrary courses are free to users. This hour-long course will help users implement data security best practices.
- SANS Security Awareness Training for End Users: SANS Security Awareness Training is designed to help companies comply with security audit requirements, teach positive security habits, and help mitigate risks associated with security threats. “Interactive learning is a key focus of SANS content and focuses on getting learners to both ‘know’ and ‘do’ the right thing at the right time with accuracy and consistency.” This training provides 48 different modules that companies can choose from with content that is updated regularly.
- KnowBe4 Security Awareness Training: KnowBe4 is a training program that enhances the awareness of security threats by providing tools to simulate attacks on employees. KnowBe4 provides their customers with baseline testing to help clients understand security weaknesses that exist so that training content picked can address those weaknesses. Once the content is chosen, KnowBe4’s modules focus on helping users understand the “mechanisms of spam, phishing, spear-phishing, and social engineering.”
- The Security Awareness Company: The Security Awareness Company creates training programs for companies based on their needs. Additionally, they have modules for different compliance standards such as HIPAA and PCI. The Security Training Company believes that success requires the following steps: 1) Training modules provided frequently, 2) Providing the same message in different ways, 3) Providing messages that are relevant to everyday life, and 4) Making learning fun. Finally, the Security Awareness Company’s mascot, The Security Cat, has a number of free security messages, just like the one below!
Are There Any Other Security Training Resources?
You are in luck! There are a number of podcasts that provide security related information to listeners. Follow the links below for more information.
- Security Weekly: “Security Weekly is a security podcast network for information security professionals, by information security professionals. They produce a lineup of shows for the security community, completely free.”
- State of Security: This article provides links to a number of podcasts about information security. Some of the podcasts include: Take 1 Security Podcast, Brakeing Down Security, Data Driven Security, Defensive Security Podcast, Down the Security Rabbithole, Exploring Information Security, OWASP 24/7, Paul’s Security Weekly, Southern Fried Security Podcast, SANS Internet Storm Center Podcast, and Security Current Podcast. Additional podcasts can be found at the link above.
How Often Should Security Awareness Training be Held?
The more often a message is communicated to users the better chance that message is received. Many security standards require that security training is provided to staff at least annually, but many of the security training options are moving toward a more interactive and continuous approach. Since the cost of a security threat being exploited can be extremely high, it is imperative for a company to properly plan a training program that fits the risks that the company faces. Most of the security training companies provide assistance with planning a security program that fits their needs.
More on Cyber Security Awareness
Happy National Cyber Security Month! Also known as NCSAM. NCSAM is observed every October and was created as an effort between the government and industry to provide information on staying safe while online. “It was initiated by the U.S. Department of Homeland Security and the National Cyber Security Alliance. NCSAM has grown exponentially, reaching consumers, small and medium-sized businesses, corporations, educational institutions, and young people across the nation. 2017 marks the 14th year of National Cyber Security Awareness Month.” Go to the link above for more information about staying safe online; theft, fraud, and cybercrime; key accounts and devices; and managing your privacy.
Security awareness training has become an extremely valuable tool that companies can use in combating against security risks. The human factor is a major aspect of protecting your business. Human behavior can make or break a hacker’s attempt at exploiting company information. Knowing your options to mitigate those risks based on company variables is the first step.
Finally, as mentioned earlier, having a security awareness program in place is generally a requirement for SOC 1 and SOC 2 reporting, HIPAA, and FedRAMP. This blog will provide those who are going the process with the resources needed to successfully implement a program that meet the needs of the company and will help raise awareness of threats that make your company vulnerable.
For more information on security compliance and training check out the following Linford & Co blogs:
- Stay Tuned Up with Security Resources: Center for Internet Security
- Increased Need for Information Security Governance
- Continuous Monitoring – An Introduction
- Implementing a Successful Patch Management Process: Don’t be the Next Equifax
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is currently a manager with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.