Security Awareness Training – Close the Front Door
- Brian Lechner
- Aug 21, 2020
- 2 min read
AI and machine learning are evolving into powerful tools in the field of cybersecurity. These tools make detecting and responding to threats in real time almost automatic. When used in combination with secure network configuration, these advancements certainly go a long way to protecting a network, data, and devices. However, without training your users to recognize social engineering attacks, phishing emails, and other questionable activity through security awareness training, you are leaving the front door unlocked. 94% of malware is delivered via email, and phishing attacks are responsible for more than 80% of all reported security incidents. Of course, most, if not all, ransomware attacks are carried out via email as well. Nefarious email and social engineering attacks are the cause of stolen credentials, stolen data, stolen identities, and lead to losses of $17,700 every minute. These stats are significant, and with proper security awareness training for companies of all sizes, these stats could be substantially reduced.
Train Your Users
The goal of a security awareness program is to empower employees to recognize, question and act when something does not seem right. This goes beyond a basic understanding of company policies and gives users the knowledge necessary for securing data at work and beyond. When administered correctly, your security team’s phones will be ringing more than usual as users begin to recognize and report questionable activities and email. This is what you want. When to Train Security awareness training should be included during the on-boarding process and advance to on-going training throughout the company on a regular basis. Post-incident, any breach should be communicated to the appropriate team then followed up with focused training to help avoid future incidents. The topics covered by a SAT program can, and will, vary depending on each organization’s security needs. For example, an entity with secure entrances may include a course on tailgating whereas a company without a secure entrance may not see this training as necessary. Test and Reinforce
Each course should be interactive with some means of testing the user’s comprehension and retention of material. Any user who fails to meet the basic requirements of a section should be required to revisit the session and retest before moving on. Depending on the situation, one-on-one counseling may be needed for a user who might struggle with a given section
.
Phish Your Users
Internal phishing campaigns should be included as part of any security awareness training. The goal is to reduce the number of click-throughs on these training exercises and increase the number of calls questioning suspicious email to security personnel. Users who continually fail these campaigns should be counseled on how to spot a phishing attack or questionable email.
In closing, every company of every size should have some form of formal security awareness training for their employees. This training should include an organizations security policies and procedures as well as educating and empowering users to be more responsive to ongoing cybersecurity threats. How do you go about gaining approval for a security awareness training program? Build a business case, which will be covered in a later blog post.
A few of the companies offering security awareness training programs (there are many others):
Comments