Gartner, Inc., predicts that by the end of 2021 security and risk management spend is likely to reach $150.4 billion. The job of the CISO (Chief Information Security Officer) has never been more vital and making sure that the budget is well-spent is an important aspect of cyber security management and risk control. Security Awareness Training is an area that helps to mitigate attacks aimed at manipulating employees. This is backed up by a report from McKinsey that outlines seven action areas, the second of which is to enlist frontline staff and carry out Security Awareness Training. This focus on the human element in cyber threat mitigation means that a CISO often spends a budget on Security Awareness Training.
However, making sure that a training program is effective requires a sound strategy. Here are six steps to security awareness success that ensure your budget is well-spent.
Six Steps to Maximise Security Awareness Success
The human element of a cyber attack is now well established with research showing that around 85% of all attacks involve a human being tricked (or otherwise) into ‘pushing the attack button’. Security Awareness Training is one of the accepted methods used to prevent successful human-centred cyber attacks. Consequently, the expected spend on security awareness programs is likely to reach $10 billion by 2027. The six steps below can help you formulate a success plan to ensure that your budget is well-spent.
Step 1: Get Buy-in Across the C-Suite and Board
It goes without saying that if you want to effect change you have to get buy-in from the right folks to do so. Security is everyone’s problem, including at the board level. A positive tone from the top helps to change the attitude towards security that then filters across the entire organisation. With C-level and board buy-in, a CISO has the power to set the tools and processes in place to make the business more secure. C-level support provides the backbone needed to build a culture of security using a Security Awareness Training package.
MetaCompliance tip: Many data protection regulations and standards now require a security awareness program. Use these requirements to leverage the need to set a security awareness program in place.
Step 2: Start at the Very Beginning
Know your security needs by evaluating the threat landscape, especially as relevant to your sector. This understanding is the baseline of an effective security awareness program. By knowing the types of threats that your sector or company are likely to come across you can more effectively tailor a Security Awareness Training program. For example, what cloud apps does your organisation use? What type of threat are they most at risk from? Do you offer flexible working and have remote workers? Is there a problem with password sharing amongst your staff?
Also, regulatory compliance needs may be specific to your sector: for example, your staff may work with large volumes of highly sensitive data that must conform to DPA2018 requirements. When developing a tailored awareness program, remember to include specifics on data protection regulations.
MetaCompliance tip: Your policies and procedures should map to the awareness training. In doing so, Security Awareness Training can be used to help enforce security processes.
Step 3: Make It Real (and Entertaining)
Security Awareness Training should be hands-on and human-centric. To make the training a success a program must chime with its audience. There are lots of ways to make this happen and not all security awareness programs are made equal. The best will offer interactive and engaging content that employees find interesting. If you can keep the interest of an individual, you are more likely to encourage active learning that sticks.
To develop a program that works well to mitigate human-centred cyber threats, the topics covered must reflect the types of threats your organisation does or will experience. Typical topics to cover include:
- Password hygiene
- Email scams
- Malware and removable media
- Being safe on the internet
- Social media: privacy, and security
- Compliance and regulations and how they impact employees
Phishing simulation exercises are an excellent way to offer a creative and engaging way to teach employees the dangers of phishing emails. More on those in step 4…
MetaCompliance tip: Overall, whatever your security awareness program contains, it must provide content that is interactive and engaging.
Step 4: How to Spot a Phish
The phish is where it is happening in the world of hackers. Phishing has become the go-to attack method over the years and sophistication is the name of the game. Phishing campaigns are big business and models such as ‘phishing-as-a-service’ provide hackers over the world with the tools to steal credentials and data, and infect networks with malware, including ransomware. So, teaching staff to spot phishing emails is a vital tool in security awareness success.
Phishing simulation solutions are an important tool in the CISO’s awareness training kit. Phishing simulations allow an organisation to automate phishing training to train users to spot the tell-tale signs of phishing campaigns.
MetaCompliance tip: Use phishing simulation exercises as part of a wider security awareness program and design them to reflect the types of phishing threats that target your sector.
Step 5: Measure, Measure, Measure
It is important to understand the impact and effectiveness of a security awareness program. Security Awareness Training events often deliver metrics that show how effective they have been. Some examples of training metrics that can offer an insight into program effectiveness are:
Surveys (qualitative): Questionnaires used to explore trainees’ understanding of the program and its delivery.
Phishing simulation results (quantitative): For example, how many users clicked on phishing links as opposed to how many alerted the company on receiving a phishing email.
Reporting metrics (quantitative and qualitative): How many users are reporting security issues as identified in training?
Metrics can be visualised to offer an at-a-glance feedback view to participants and management.
MetaCompliance tip: As well as using metrics to adapt training programs, also use metrics to map back to security policies and adjust them to capture problem areas identified during training.
Step 6: Adapt and Update
Use the metrics from security awareness tasks and events to adapt your delivery of future iterations of the awareness campaign. The metrics collected in step 5 will help to deliver more effective training. However, program stewards must run regular meetings to ensure that the training programs reflect the realities of corporate cyber security challenges as cyber security threats are not static events. As the security landscape changes, as new employees come on board, and as new technology is deployed in your organisation, the Security Awareness Training must adapt to reflect these changes.
MetaCompliance tip: Mix and match different ways of training staff. Use a variety of options including games, phishing simulations, posters, newsletters, adapting these to suit the department and security awareness needs over time. Involve departments across the organisation in designing and developing the programs.