In 2022, the business world continued to deal with onslaughts of ransomware, scams, and data breaches. However, it wasn’t just high-profile enterprises that were attacked; healthcare, education, government, and small businesses were all victims of cyber attacks.
In a 2022 report, the Office of National Statistics (ONS) showed a 25% increase (to 4.5 million) in fraud offences for the year ending March 2022 compared with the year ending March 2020. And in 2022, phishing was still the most common threat against UK businesses, with 83% of attacks being phishing-based.
However, a new year brings new hope and ideas.
Security Awareness Training remains a top priority for companies wanting to tackle fraud, scams, and other cyber threats. But how can your organisation improve its Security Awareness Training in 2023?
Here are five ideas to get your organisation fit for security in 2023.
Be Positive, Be Secure
Cybercriminals, especially those that use social engineering and phishingtr, rely on poor security behaviour to make their scams work. Good cyber security training is about changing negative security behaviour to a more positive stance. However, changing behavioural patterns takes work.
Behaviour, such as the urge to click, is a learned pattern and changing deeply seated actions requires a concerted effort involving strategies such as simulated phishing campaigns. Improve your Security Awareness Training content through campaigns based on proven strategies, such as interactive learning that change poor behavioural habits to positive actions. Interactive learning and engaging content will boost employee engagement and help your organisation to grow a positive security culture.
Keep it Relevant and Interesting
The security industry body, ISACA, researched how to improve Security Awareness Training. The research involved over 5000 organisations from across the world. The study found clear evidence that effective Security Awareness Training required the correct type of delivery of interesting and relevant content.
Included in ISACA’s findings was that information should be delivered in small chunks after the first session and at regular frequencies to reinforce learning. The type of information also matters. Real-life case studies helped to cement knowledge and reinforce the importance of good security behaviours.
The researchers found that content must be “pertinent, related to theory and practise, and tell a story.” Use Security Awareness Training material, such as short explainer videos and phishing simulation exercises, to engage employees and make content relatable and relevant.
Reward Success, and Don’t Play the Blame Game
No one likes playing the blame game, and Security Awareness Training should avoid using blame when training employees. The problem with attributing blame is that it can cause people to lose confidence, leading to even worse mishaps.
Developing a robust cyber security posture takes time and is predicated on many aspects of the organisation’s IT systems, people, and processes. Don’t blame employees for security mistakes, technology changes, and cybercriminals change techniques; instead, use poor security behaviour as an excuse to change behaviour and learn from mistakes.
Advanced Security Awareness Training programs will provide interactive training sessions during an exercise to show employees where they went wrong and how to make sure they don’t repeat the same behaviour.
Also, reward success instead of using blame to shame. If employees do well in training sessions, offer them small rewards and incentivise good behaviour.
Generate Actionable Data
Metrics offer a vital insight into the effectiveness of a Security Awareness Training module; some advanced systems provide highly granular views, across time, and on an individual basis, on a given module’s training effectiveness.
Phishing simulation modules, for example, generate data on an employee basis, showing employees’ learning curves as they develop the skills to identify email-borne threats. Use security awareness metrics data to fine-tune your training modules and identify hard-to-change behaviours for greater attention—target specific roles and groups by using metrics to help design tailored simulated phishing campaigns. Over time, the feedback provided by granular training metrics will allow you to develop more effective training sessions.
Integrate Security Training with Your Organisation
Security norms should be set at the organisational level, integrating individuals with a culture of security where safety comes first. Successful Security Awareness Training is about the maturation of methods and approaches, not just tick-box efforts to meet regulations.
However, regulatory requirements for Security Awareness Training should be used as a baseline to establish metrics on the effectiveness of your training. By dovetailing organisational goals with security training, this approach moves the burden of security from an individual to a collective effort: build a Security Awareness Training program that fits your organisational security needs and incorporates everyone from the board level down in training sessions. Make sure that each department has tailored training programs that reflect real-world threats. For example, scams such as Business Email Compromise (BEC) target departments, such as the CEO’s office and accounts payable.
Chances are 2023 will be as challenging to businesses dealing with security threats as in previous years. No organisation, no matter what size or in which industry, can sit on its laurels and hope it won’t be a target.
However, our people are our strength. By applying these five improvement strategies to your Security Awareness Training program for 2023, you can help to develop a robust cyber security posture and empower your employees against cybercriminals and scammers.