One of the cyber security related activities that most, if not all, organizations should be doing on a regular basis is Security Awareness Training. At a high level, this training is provided to your employees to inform them about information security as it relates to their day-to-day business operations. In this article, we’ll review what Security Awareness Training should generally include for all employees and highlight the different methods and mediums available to supply this training to your people.
Key Topics of Security Awareness Training
Security Awareness Training is designed to do just that, bring awareness to the different aspects of security that employees have to understand. This level of awareness will serve to help everyone, not just in their jobs but also in their lives outside of work, to be more secure and protect themselves. A workforce that is more security minded will pay dividends in the form of a higher level of resiliency to social engineering attacks (like phishing) and more vigilance when it comes to potential security issues that should be reported, hopefully preventing more costly security incidents or data breaches. Most baseline training should address the following topics:
- Types of social engineering
- Example campaigns that may be encountered
- How these attacks work and what can be done to avoid them
- How to report a suspected security incident
- What/when/how will the organization ask employees for sensitive information
- How to choose a strong password
- How to leverage multi-factor authentication
- What is a password manager and how to use one
- Organization-specific policies/procedures related to security
The Different Options for Delivering Effective Training
This space has a number of different options and methods for achieving the same goal: cultivating a security-minded workforce. Each option has different pros and cons, resulting in a number of differing opinions on which is more effective. Let’s look at your choices.
The simplest and most common form of training, a variety of different companies offer methods of assigning a little video or interactive walkthrough to your employees that they must complete on a regular basis. Sometimes this training has a short quiz you have to complete to make sure you paid attention, sometimes there are questions throughout to drive engagement, and other times it is merely for completion. For the most part, this is going to be the cheapest, fastest, and least customized option for security awareness training. The content provided will probably be solid and hit on the important topics, but it won’t be specific to your organization. Additionally, this type of training often has a much lower efficacy rate, as it can be little more dull that some of the other options out there.
Regular Phishing Simulations
This refers to ongoing, primarily automated assessments of your workforce through actual phishing emails you create and send out. There are several different companies that offer software for you to do this yourself with your own IT or Security teams, such KnowBe4. Additionally, many third-parties will offer this service. Generally, exercises are conducted on a sample of users on a monthly basis, using a set of different campaigns/pre-texts. Users have to correctly identify that an email is an attempted phish and report it to the organization’s point of contact, otherwise they are assigned remedial training (usually a computer-based module).
This type of training has the advantage of being a little more effective than a CBT module on its own, because a user has just more personally interacted with a phishing attempt and has a little bit of the sting of failure from incorrectly identifying it. It may be possible to draw more clear examples of how a user could have identified the phish, as well. But this kind of training is more resource intensive (manpower if done internally, budgetary if contracted through a third-party) and can have some unintended consequences. One example is business interruptions from users that are a little over-zealous in reporting phishing attempts for emails that are legitimate. Another is problems with campaigns being run, in that they are not very realistic (so less effective) or unethical in some cases, leading to complaints.
Third-Party, Customized Security Awareness Training
This training is more focused, in-depth and customized to your organization. Many organizations (Triaxiom included, for full disclosure) offer this type of training to help accelerate workforce improvement when it comes to security awareness. Third-party training is usually conducted in-person when possible, and attended by as many employees as possible. The content will be specifically customized to the target organization by including results from recent social engineering assessments conducted on them, specific technologies they use, attack surface relevant to them, and solutions/tools available within their organization. In this way, more user engagement is generated and the training becomes more immediately applicable. While this training is generally a little more expensive, the return on investment can be more significant than relying on only computer-based training modules and employee feedback is generally positive in how they’re able to implement better security practices.
The last general type of training we’ll cover is in-house security awareness training. This is simply referring to in-person or remote training conducted by employee’s of the organization (e.g. the IT team or the Security team). Many companies will do this as part of a quarterly all-hands meetings or an annual company event. The content is very similar to the third-party provided training just discussed in that it can be extremely customized and will be immediately relevant for employees. The cost is also reduced to employee resources that need to research and develop the content. The major downside that most people see here is a diminished level of credibility from other internal employees, as compared to a third-party. Many times, a third-party can come in and have more of an impact because they are psychologically viewed as an impartial expert, where internal employees may be received with some bias.
Ultimately, most effective approaches will use a combination of these methods to ensure the employee workforce is trained on security awareness regularly. This is never a “one and done” scenario, as training needs to evolve to address new threats and a changing technology landscape. Organizations that embrace security culturally also have an easier time getting buy-in and engagement for training events like these listed here. Augmenting any training you do with regular reminders and communications via emails, newsletters, posters, etc. can also help to re-enforce good behaviors.
If you want to learn more about how Triaxiom Security conducts security awareness training and if it might be the right fit for your organization, contact us today!