Security Awareness Training: What It Is and Why It's Critical
What you need to know to make the most of a security training and awareness initiative
What Is Security Awareness Training?
Security awareness training is the process of providing formal cybersecurity education to your workforce about a variety of information security threats and your company’s policies and procedures for addressing them. Topics covered in security awareness training often expand beyond the digital world and discuss physical security and how employees can keep themselves and loved ones secure. Such training can take a variety of forms but is most often presented in an online or computer-based format.
Rather than a one-time event, security awareness training is most useful when approached as a critical ongoing practice in the context of a bigger security awareness program. The training and the program are integral to building a culture of security in modern, digitally dependent organizations.
Why Is Security Awareness Training Needed?
Security awareness training is critical because cyber threats abound in our always-connected work environments. What’s more, threats are continually changing. The common thread for some of the most significant threats today is people; your employees. Hackers know people can provide soft attack surfaces to make their exploits successful.
The point of security awareness training is to equip employees with the knowledge they need to combat these threats. Employees cannot be expected to know what threats exist or what to do about them on their own. They need to be taught what their employers consider risky or acceptable, what clues to look for that indicate threats, and how to respond when they see them.
Our 2020 State of Privacy and Security Awareness Report revealed that many employees are unaware of key risk factors relating to data security and privacy. Some employees are misinformed or confused about what risky behaviors are; many don’t understand that cybersecurity is their personal responsibility; and even fewer understand sensitive data privacy best practices.
These days, security is everyone’s responsibility. Even seemingly harmless behaviors or small mistakes can have big consequences. Security awareness training helps get everyone in an organization on the same page, reduces risks and incidents, and helps the entire workforce protect their organization and themselves.
Learn what the average employee knows, and doesn’t know, about cybersecurity and data privacy best practices.Download Report
How Should Training Be Approached?
The mission of a good training program should be providing concise, actionable, and memorable advice about how to reduce risks related to cybersecurity and information technology, whether digital or physical. Security skills developed on the job will also carry over into better cyber hygiene habits at home or if working remote from elsewhere.
Too often, those who are building training content can feel like they have to overload it with details and language that reflect company policies and procedures. That can get bogged down by an overemphasis on policy minutiae―and that usually causes people to tune out.
Video – Ask the Experts – Annual Employee Awareness Training Is Not Enough
In this Ask the Experts video, Tom Pendergast, MediaPRO’s Chief Learning Officer, discusses the importance of year-round security and privacy awareness programs.
Security leaders who are launching programs and associated training need to remember that the ultimate recipients of the course will likely not be as invested in information security as they are. In fact, many employees can be downright bored with it.
It helps to take a lighter touch with conveying material that can be perceived as dry and difficult – incorporating training techniques that will help keep content relatable and learners engaged.
Employees cannot be made to care about these topics. Why these topics are vital needs to be conveyed in a way that invites them into the learning experience and teaches not just specific behaviors (do this, don’t do this) but how to think critically about the myriad threats out there.
What Are Some Security Training and Awareness Best Practices?
There are a variety of different ways you can apply training depending upon what an employee population is or isn’t willing to accept and what will get supported by leadership.
Let’s look at some security training strategies that have proven successful in our experience and are based on adult-learning research.
Break Learning Into Chunks
To the extent that training content can be broken down into “chunks” of similar, easily learnable elements, the training will be more effective. Employees will not be overloaded with too much new information to be put into action at any one time.
Phishing training is a good example. If phishing emails are your biggest risk, as it is for a great number of organizations, the best approach is to start with a short, fun training focused on phishing given to the entire employee population.
Afterwards, run a phishing simulation test with everyone and see who takes the bait. Then, distribute more detailed levels of phishing training to people based on their test performance. The model is to deliver the shortest possible chunk of training first and then only go deeper when needed.
Focus on Your Greatest Risks
This principle applies to whatever type of security training is provided.
To determine what that training should be, assess the key risks that you’re trying to reduce in your business environment. What do employees need to know and do to support the goal? How can you express that through security training programs in a way that is as comprehensive and concise as possible?
To that end, the security awareness training course becomes the focal point for expressing the company’s goals, policies, and desired employee behaviors.
Make It Resonate
The right training must then be delivered to the right people, based on their role and the kinds of data and access they’ll be exposed to in performing their work.
To make it meaningful, provide real-world examples and stories, such as those found in the annual Verizon Data Breach Investigations Report (DBIR), that are relevant and relatable to their work experience. Training that presents scenarios that employees will encounter in their workday and home life makes the lessons real and not just a list of rules to follow.
This approach helps build critical thinking skills and promotes how to think about approaching a risk and not simply “do this, don’t do that.”
Avoid 'Been There, Done That'
Few if anyone wants to sit through yet more training on material they already know. So another way to apply training effectively is giving people the option to test out.
Pre-testing allows people to self-select into what information they still need, while sparing them from redundancy and boredom with material they’ve mastered. It’s another great way to improve the efficacy of the training experience.
Present Training that Works for Adults
It’s crucial to structure training modules around the way adults learn. That’s different from the way students learn in a structured educational environment. In school, students expect to read a whole lot of content, look for key facts, and be able to restate them.
Corporate training is presented in a different context. People are busy; they have jobs to do; security may not be their primary focus. Applying adult learning principles will make training relevant, easy to assimilate, and far more effective.
Adults tend to think that they already know the world, and want to test whether their knowledge is correct in real situations. A friendly and useful training technique is to present a situation, ask what they would do, and then either confirm correct responses right away to cement it in their long-term memory, or gently correct them into the right direction.
The Relationship Between Training and Policy
Policies are written with a distinct tone and approach. If your training looks like your policy, it won’t have its intended impact. Training must be a whole different realm of communication.
For some companies, auditing practices require that employees be exposed to corporate policies. But it takes more than annual policy acknowledgment for employees to adapt their behaviors and business practices to your company policies.
Some program managers do annual policy acknowledgment, but also train to “Cliff Notes” versions of the polices to ensure their learners absorb the most important points. Either way, access should be given to the primary policy document for any employee who wants to read it in full.
What Topics Should Security Awareness Training Cover?
The short answer here is “It depends.” The best security awareness training programs are tailored to individual organizations and cultures and cover the most pertinent risks. This helps ensure the training communications are as relevant as possible and stand the best chance of sticking with employees.
That said, many organizations will face similar needs when it comes to cybersecurity risks. In no particular order, here are leading issues to consider:
Most malware enters networks via clicks or downloads from phishing emails. All employees should know the signs of phishing attacks and how to report phishing emails when they spot one. Phishing simulations and phishing test campaigns that use a library of phishing email templates are essential for security awareness training.
Email phishing is the most famous type of social engineering, but not the only one. Employees need to be aware social engineering scams taking advantage of human behavior across multiple platforms including but not limited to text message phishing (SMSishing), phone or voicemail phishing (vishing), and social media phishing.
Whether for work or at home, secure browsing know-how is crucial for navigating in our uber-connected world. Safe Internet habits help create a human firewall that augments security technology.
Safe Internet Habits
Beyond policies covering use of social media at work, your workforce should know actions they can take in their personal lives to stay secure while sharing.
Safe Use of Social Media
Working from home or while on the go is becoming a part of everyday life. Advice on connecting securely while at home and why public Wi-Fi hotspots are a bad idea should be at least touched in most programs.
No amount of training can prevent a malicious employee from doing something bad. But training communications on warning signs and what to do when an insider threat is suspected can help call them out before the damage is done.
Employee reaction to a security incident, whether malicious or accidental, can make or break your company. Your employees should know what to look for and feel empowered to say something when they see something.
A variety of federal regulations and private industry guidelines exist to secure sensitive and valuable information. Your employees don’t need to become experts on these rules, but they do need to know how they apply to your organization.
Laws and Regulations Governing Your Business
Cybersecurity should walk hand-in-hand with data privacy. The basics on what makes personal information personal and how to handle, store, and dispose of it should be a part of your security training and awareness initiative.
Data Privacy Practices
How Do I Know Security Awareness Training is Working?
Whether you’re just starting your journey toward establishing an awareness initiative or looking to upgrade an existing program, setting measurable goals for behavioral improvements is crucial.
Lack of ROI for awareness training can lead to reduction or a complete cut of funds for training when budget season rolls around.
Fortunately, straightforward ways exist to track effectiveness and set the stage for a successful awareness training initiative.
Here are some ideas.
How Often Incidents Are Reported
Review the frequency of reported incidents before training begins. Check if these reports increase as training progresses and in the months following.
More reported incidents means your employees have developed sharper eyes for suspicious activity (not necessarily that more incidents are actually happening!).
Reported Phishing Email Percentage
Collect numbers on frequency of reported phishing emails vs. phishing emails not reported to develop a reported percentage. Clicked phishing emails should also be included in this initial data gathering to help set a baseline of your employees’ proficiency for recognizing and correctly addressing this threat.
After your primary training has run its course and you have trained your employees on how to spot phishing emails, review these numbers to see how they changed. The goal is an increase in the percentage of phishing emails reported and a decrease in clicked phishing emails
Direct Assessment of Employee Knowledge
Assessing employee knowledge is a direct way to measure what they know about security and privacy best practices.
Create questions that address your organization’s most pressing security and privacy risks. A good understanding of your organization’s goals and priorities will make sure you’re asking the right questions. After all, why ask employees if they know how to connect to networks via VPN if they’re not taking their computers out of the office?
How Much Incident Remediation Costs
Chances are your organization has had a run-in with a data breach, malware infection, or another kind of cyber incident. Such an event may even be the reason you’re in the market for security and privacy awareness training in the first place.
If these remediation costs have struck your organization, set this number as a baseline before you launch your training initiative. Keep these figures in your back pocket in case another incident occurs and determine if training reduced overall incident remediation costs.
Explore the current state of employee knowledge in cybersecurity and data privacy with our 2020 State of Privacy and Security Awareness Report.
Keep security top of mind while your employees are working remotely with our free toolkit. No kidding. Really free.
This guide walks through the steps to take to establish a simulated phishing program and provides phishing program ideas.