One of the most important ways to control the human side of cyber security breaches is to use tailored Security Awareness Training for employees.
From the loss of customer trust to the horror of non-compliance fines, data breaches are now a daily concern in businesses across the sector spectrum. Keeping on top of security risks is a challenge.
It would be wonderful if IT security was simply about using a piece of technology to close the door on cybercriminals; but, as a study from IBM exploring the cost of a data breach shows, most cyber threats tend to have an employee as the root cause; be that simple human error, or malicious insiders, phishing, or compromised credentials.
Importance of Security Awareness Training for Employees
As we all know, education is important in life. This education extends to behaviour and security; if a person understands why they act in a particular way, they can more easily change any negative behaviour.
By making employees and non-employees aware of how cybersecurity works, they can become part of an educated team that plays a positive role in helping to mitigate cyber attacks on an organisation.
Human beings act in particular ways because of behavioural norms and preconditioning to use computers more easily. This behaviour is used to manipulate employees into performing actions that benefit fraudsters.
This is borne out by studies showing that human behaviour manipulation is the tool of choice in cybercrime. It may be malware that does the job of exfiltrating data, but human beings open the door to cyber threats via human error, social engineering, and phishing. Here are three key reasons why Security Awareness Training for employees is important:
Security Awareness Training Focuses on the Human in the Threat Chain
According to ENISA, over 95% of phishing emails require human intervention to initiate malware infection.
Security Awareness Training Reduces Costs
The IBM study mentioned earlier found that employee training courses were one of the top ways to reduce the average cost of a data breach.
Security Awareness Training Takes Policies and Turns them Into Actions
Another ENISA study into cyber security culture, emphasises the importance of enforcing security policies. The report found that end users think of security policies as “guidelines, but not rules”. The report highlights the importance of changing employees’ mindsets on security to adjust risk perception using a coordinated organisational security culture, as opposed to coercing secure behaviour.
Essential Security Awareness Training Topics for Employees
Security Awareness Training programs contain several topic areas that are a must for effective training. Six of the most important are:
Phishing attacks remain a top method leading to data breaches. Along with a lack of training and poor password hygiene, phishing attacks are in the top three ways that ransomware infection occurs. Employee Security Awareness Training must include an understanding of how phishing works, and what types of phishing there are, for example, email phishing, voice phishing (Vishing), text phishing (SMShing), and spear phishing. Simulated phishing is often part of an awareness package. Simulated phishing exercises are tailored to send out test phishing emails to train users in the typical tricks that fraudsters use. Many security awareness training programs also offer interactive videos to help spot the multiple types of fraud that use phishing.
In 2020, Google registered more than 2 million phishing websites. Malicious URLs can cause credential theft and malware infection, even without user interaction. It is important to train end users on how to spot websites/scams that aim to infect networks. This is becoming more difficult as phishing sites are often ‘secure sites’; the Anti-Phishing Working Group (APWG) shows that 83% of phishing sites use HTTPS.
Some statistics from LastPass sum up the password problems faced by organisations:
- 66% of people reuse passwords
- 53% haven’t changed their passwords in over 12-months
- 41% believe that their accounts are not valuable enough to attract a hacker
Security Awareness Training should cover the reasons why password hygiene is important and how to create robust passwords.
Now that many employees work from home or remotely, at least part of the time, mobile security is more important than ever. Around 70% of online fraud happens on the mobile channel. Security Awareness Training should place a focus on the secure use of mobile devices, including secure Wi-Fi, app hygiene, and phishing.
Social engineering is used to trick users into giving fraudsters valuable data, such as login credentials and personal information. Social engineering also plays a large role in complex scams, such as Business Email Compromise (BEC), where employees are tricked into sending money to a fraudster’s bank account.
Handling Sensitive Data
Regulations and standards require that processes are adhered to in handling sensitive data. Employee Security Awareness Training should also have an element that covers their role in maintaining compliant handling of sensitive and personal information.
Making Security Awareness Training Interesting for Employees
Cybersecurity is typically seen as a dull subject. However, Security Awareness Training has come a long way since its inception. Modern security awareness programs are designed to stick, and this means that they can be interesting, even fun! Some ways to make your security awareness program for employees fun and interesting are:
Play: Learning through play is something humans do well. When you have fun doing something you tend to remember it. Tailor your cybersecurity lessons so that they use games to help make the training stick in the minds of your employees.
Interact: Interactive training sessions engage employees and help them to learn. Some security training programs offer interactive videos that take employees through typical scam processes to help them understand how they can be tricked by fraudsters. These interactive sessions typically give on-the-fly feedback to employees during a training session.
Relate: People also learn well from games or interactive training sessions that are relatable. You should try to tailor your Security Awareness Training program to reflect the real-life threats that your business sector faces. The study of adult learning, known as “andragogy” says this about teaching adults:
“Since adults are looking for practical learning, content should focus on issues related to their work or personal life.”
Security Awareness Training Resources for Employees
Here are a few resources to help with ideas on how to tailor cybersecurity awareness for employees:
Security awareness month: The entire month of October is dedicated to a variety of security awareness topics, offering advice and activities in training employees in security threats.
The National Cyber Security Centre: This national body has lots of resources to help tailor awareness training sessions.
Google phishing quiz: An automated quick and fun test that goes through some common phishing tricks
MetaCompliance phishing simulation tool: MetaPhish is tailored to your employees and gives an insight into how effective your security training has been.
Cybersecurity awareness posters: Free posters that you can print out or send to remind employees about various cybersecurity essentials.