Security awareness training can be a somewhat touchy subject. For those who administer it, it can often feel like just one more task to keep track of. It can feel similar to the employees who must undergo the training, especially for those who feel like their jobs don’t have a direct impact on the company’s information security. Though it can be difficult to figure out the best way to deploy this type of training, it has become the norm within the corporate landscape. This article aims to provide answers on what security awareness training is, how it can best be accomplished, and why it is important.
Before the best way to roll out a security awareness program can be explored, it must be determined what it is and why it is done. This discussion aims to be neither exhaustive, nor all-inclusive, but simply to provoke thought on why an organization does, or does not, take part in security awareness training.
So, what is security awareness training? The most commonly accepted definition is that it is an end-user-based training that is delivered on a regular basis, usually annually, which reduces the organization’s overall risk by ensuring that all employees are aware of information security best practices. It is widely accepted that employees are the most easily exploited attack vectors to an organization. One doesn’t need to look much further than the prevalence of phishing attacks and breaches caused by social engineering to verify this. To reduce this risk, security awareness training often covers several topics that include: basic security practices, company policy, and any relevant information related to regulations the company may have to adhere to. The hope is that equipped with this information, employees will both help strengthen the security posture of the organization through heightened awareness and be unable to claim ignorance.
With an understanding of what security awareness training is, and what it aims to accomplish, it is important to discuss the two thought processes around implementing or managing a program. It is common for organizations to be required to run an awareness program on a regular basis. Usually, this is either mandated by clients or via regulation. In these instances, it can be easy for an organization to put something in place simply to appease their clients or pass their audits. This thought process would fall under “check-the-box”. The other train of thought is that regardless of outside pressure or requirements, the training is required to lower the company’s risk level to an acceptable level. This second motivation for implementing and/or maintaining the program is much more in line with the definition above and should be the spirit that any program is based on.
Like any security control that can be put into place, there are a number of options for an organization when it comes to awareness training. The two main choices are in-house training or the utilization of a third-party solution. In-house training is exactly what it sounds like; an organization develops and delivers its training using resources already available to them. This is a great option if a training department already exists (more common for larger organizations) or if the budget exists to bring in an expert as a one-time consultant to develop the materials. Third-party solutions are readily available, and quite affordable, but will lack the customization and personal touch that in-house developed materials may offer. It is important to consider how frequently the program will be refreshed when making the decision between the two options as well, as that one-time consultant might quickly turn into a full-time employee. There is also the option to mix and match, which will be discussed alongside an approach for implementing and running a security awareness program.
The last consideration that needs to be made around an awareness program is what topics need to be covered. Some organizations get their security department together and list out whatever they can think of. Other companies may check off every single topic in their third-party solution. Many organizations who design their training specifically to meet client contractual agreements will ask their clients what topics they cover in their training. The latest news cycle can influence training, as can the organization’s own user behavior. Again, these are common scenarios and not every possibility.
One recommended approach to security awareness training is a data-driven approach. Some of the most important things to remember when taking any approach to security awareness training are never settle for “checking the box” and always aim to reduce risk by truly educating and empowering employees. A good way to start is a baseline level of training to be done upon hire and on an annual basis. This training would cover common security topics like locking computers before walking away from them, how to spot phishing emails, etc. During this training, any pertinent internal security policies, as well as any regulatory or contractual standards that the company is required to meet, are also important to cover. To strengthen the training on an ongoing basis, it is important to keep a pulse on the industry and introduce out-of-band training or additional training topics regularly. A few examples of topics that may get added, or even require their own standalone training, would be GDPR or ransomware. If external data points are important, internal data is gold. If an organization is not collecting data on employee behavior and the attack types they are dealing with, it cannot effectively empower them to secure the organization. So, tests like internal phishing campaigns, looking at how often individuals are blocked by the content filter, and checking who has the most viruses quarantined should be run. Focused and individualized training can then be provided. Company-Wide training is an appropriate response if something becomes a trend across an organization. To do all of this effectively, it may be best to mix a third-party solution with internal resources. Third-party solutions do a fantastic job at covering the basic topics, and even many common compliance standards. Only an organization’s own information security department knows its policies and unique challenges. Taking the human approach, when practical, helps build trust and better position the security function as an ally to the rest of the organization.
This article is meant to provide answers to the first questions someone may have when met with the phrase “security awareness training”, empower them to think differently about it and provide a data-driven framework to build a gold-standard program. Whether an organization is just beginning to implement a security awareness program, moving an existing program from “check the box” to effective, or is looking to make minor adjustments, hopefully, this article has provided the motivation to achieve that.