How To Make Cybersecurity Awareness Training Stick
October is national cybersecurity awareness month – a time to evaluate, refresh or kickstart a program to help employees adhere to their organization’s security policies.
National Cybersecurity Awareness Month (NCSAM) is a joint effort between government and the cybersecurity industry to raise the importance of smart cybersecurity practices, ensuring that people have the resources they need to be safer and more secure online.
NCSAM is now in its 17th year of providing guidance for cybersecurity, but this October is different: the coronavirus pandemic has upended technology. Whether for work or personal reasons, or both, we now rely on virtual meetings and videoconferencing, as well as text, email and phone calls, and cybercriminals have found seemingly endless ways to trick unsuspecting users using those vectors. For example, since March 2020 we’ve uncovered U.S. tax scams due to the extended filing deadline, an increase in ransomware attacks in hospitals and health systems and a 33% rise in impersonation and social engineering attacks in the first 100 days of the pandemic.
Now, cybercriminals are pivoting to take advantage of the U.S. election via phishing, protests and the West Coast wildfires, among other major global events. In other words, people are facing a torrent of possible attacks that can put them and their employers at risk. You may have heard that 90% of all security breaches involve human error, making security awareness training a critical component to minimizing risk and creating a security-first culture in businesses.
Here’s how to begin.
- Get buy-in. Gain senior leadership support that demonstrates backing of the program and removes any obstacles to its success. Security awareness training should be viewed as an equal to technology investments, and with a high success rate, it is a cornerstone to your organization’s overall security posture. At a higher level, in fact, to win support and resources from their corporate board, cybersecurity professionals need to focus more on reducing business risk and less on technical metrics.
- Help employees understand why it matters. The volume and velocity of attack by cybercriminals is showing no signs of slowing down. This translates to the need for security to be everyone’s responsibility, not someone else’s job. Underscore the importance of employee actions by sharing frequent examples of how your organization or industry peers suffered the consequences of a security breach due to human error.
- Align training with the most relevant security threats. Keep the program relevant and impactful by using company-specific emails that employees previously clicked to inform your training program. In addition, having the ability to convert real phishing attacks to training simulations may create maximum impact.
- Know your vulnerabilities and direct training accordingly. Focus your training effort on the greatest areas of risk by identifying the riskiest employees. By tracking user behavior, determine individual employees’ risk score and direct training resources to those who need it most.
- Create a security culture that educates at the point of risk. Integrate email security and training solutions so emails containing malicious links can be scanned and identified with web block banners at the point of risk, making employees aware of the attack and preventing them from clicking, while also changing user behavior.
- Use real phishing attacks. Teaching employees to spot phishing attacks isn’t easy and phishing simulations often don’t work. Leverage a training platform that allows you to convert real-life phishing attacks that employees previously clicked on to phish test templates.
- Be persistent and consistent. Training that’s delivered too infrequently, such as only once or twice per year, isn’t enough to maintain awareness and retention. Monthly installments of cybersecurity awareness video-based training modules that cover core concepts keeps security top of mind. In fact, according to Mimecast’s State of Email Security 2020, just one in five organizations offer monthly security awareness training sessions to employees; those who offer training less often usually don’t see the benefits it delivers.
- Benchmark performance internally and against peers. Tracking industry comparison rates for performance metrics, including completion rates and correct responses helps set training goals and standards. And, watchlists for employees who haven't participated in the trainings or had incorrect responses can play a role in how you evaluate the program – and its content – quarter after quarter.
- Keep it engaging and fun. Speaking of content, it’s critical to hold employees’ attention with engaging, video-based trainings that are delivered regularly in small intervals. The trainings should take only three to five minutes per month – a tolerable ask of today’s busy employee – makes training a welcome reprieve instead of an unwanted burden.
- Minimize security and IT dependency. Using a multi-tenant cloud-native platform reduces costs and removes the burden of managing infrastructure and hardware, simplifying administration and management.
The Bottom Line
Implementing a security awareness training program for the first time can be a daunting task, particularly from a cultural perspective; employees may not actively participate without clear and consistent encouragement from senior leaders.
However, for organizations that are using National Cybersecurity Awareness Month as a time to reevaluate and refresh their programs, it’s critical to review metrics like watchlists and employee scores, as well as participation among different business units to identify any gaps. According to Gartner’s May 2020 report, How to Build an Enterprise Security Awareness Program, security and risk management leaders overseeing information security management programs should “improve the program continuously by measuring results, at as granular a level as possible, then report those results and act on them.” The same report states, “By 2023, organizations that implement specific and measurable security awareness programs will experience 75% fewer account takeover attacks than organizations that don’t.”
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!