Securing the right doors: How to focus awareness training

Do you give all employees the same cookie-cutter training, regardless of whether they’re remote workers, contractors, legal staff or members of the C-suite?
Are your awareness tests virtually the same as every other company on the block – even though most of them are in completely different sectors? And even if you’re not making these common mistakes, are you confident you are getting the maximum value out of your security training budget?

To get the most out of your awareness training you must continually evaluate the risks your organisation faces, then give staff engaging, focused training that covers off those risks. That way you can be sure you’re not burning through employee time and cyber budget on generic training while the real threats walk right through the front door.

Get risk assessment specific to your org

Two-thirds of Australian businesses believe that risky employee behaviour is putting their company at risk – but only a quarter of those organisations offer ongoing awareness training. Simply making cyber training a regular part of working life is a crucial first step to strengthening your cyber resilience.

To target that training – and take its impact to the next level – start with a simple evaluation of incidences that have affected your company. These can include data breaches, near-misses and examples of carelessness or negligence. That kind of assessment should provide a clearer picture of what threats are most likely to hit you the hardest. In broad strokes:

The Australian Cyber Security Centre (ACSC) notes that in 2021 criminals relied heavily on pandemic-related scams and struck at critical infrastructure, with ransomware on the rise and Business Email Compromise (BEC) attacks growing more lucrative.

New Zealand’s National Cyber Security Centre (NCSC) similarly underlines the rising danger of ransomware, as well as attacks on healthcare and financial institutions and the rise of state-sponsored actors.

While this kind of high-level assessment is a great start, there are more in-depth tools available to pinpoint which risks you should address and when.

Use detailed analysis to focus training

Depending on the sector you are in, you may decide that following a standard maturity model would be enough to meet your security needs. Maturity models are a very useful strategic tool. They can help you set up capabilities, controls and enable companies to meet specific cybersecurity standards. Measures such as Australia’s Essential Eight, New Zealand’s Capability model and industry-specific programs can shape both your overall cybersecurity posture and inform your training priorities. But they are no substitute for a precise risk assessment for your organisation.

Assessments identify risks, qualify their impacts and measure your ability to manage them. If you’ve got the resources and inputs required, the most sophisticated risk-based models of cybersecurity can put a dollar value on specific threats, helping you target training more precisely (and make a budget case more persuasively) than the broad recommendations a maturity model provides.

Focus on the basics

Your assessment may offer great leads for specific training areas. But you should always start with the basics. Training on password etiquette, removable media and devices is essential, as is avoiding physical security mistakes such as leaving laptops unlocked, documents visible or passwords written in plain sight.

These standard aspects of awareness training are worth adjusting and emphasising if your organisation shares its office space or relies on temps or contractors – who may need their own training sessions that address their situation. Training in social media guidelines (which may govern the sharing of personal, project or client information) is another measure that can limit your attack surface, particularly if your staff are encouraged to have a strong online presence.

Train your staff to catch phish

If social engineering is a concern for your organisation – and 70% of organisations think they’ll be hit by an email-borne attack this year – anti-phishing training should be near the top of your list. Staff should be advised on how to deal with suspicious emails, links and texts, including how to report incidents. That should include detail on specific current threats and tactics used by scammers, such as false urgency and the use of personal details, as well as emerging threats such as deepfake videos and voice messages.

This training must not neglect senior staff. In fact, with C-suite, legal and IT staff being particularly sought-after targets because of their influence and access privileges, you may choose to offer these groups tailor-made training.

Remote workers need specialised awareness training

The pandemic accelerated the rise of remote work, and while many workers love the freedom it offers, hackers relish the opportunities that come with this shift. Remote or hybrid employees must be educated on safe working practices, with guidelines covering the use of unsecured wi-fi, personal devices, encryption and third-party apps. Remote workers are more at risk of phishing attacks, which should be a particular focus if a high number of employees work from home.

From cloud cover to spyware, your business will have its own cyber priorities
We’ve covered key areas of training above, but every business faces different challenges.

1. If some functions are cloud-based, they’ll need their own cloud-centric security solutions and awareness training.
2. Finance regulations, data protection policies and compliance vary sector-by-sector, and certain roles may require individual guidelines.
3. As state-sponsored actors rise in significance, spyware will become an increasing danger, notably in industries such as infrastructure, healthcare and government.
4. Internet of Things (IoT) devices may require a separate focus, particularly in manufacturing, industrial and healthcare settings that rely on a variety of networked devices.

Whatever topics you focus on, training shouldn’t feel like a chore for staff. That means using real-world examples that people can relate to, gamifying training where appropriate, and listening to staff feedback. Employees that have a voice are far more likely to feel invested in your company’s security culture, and true cyber resilience is only achievable when employees across your organisation are on board.

How to focus awareness training

Awareness training is a crucial part of cyber resilience. But to get the most out of your budget, and protect your business, you must ensure it is focusing on the right threats. That means assessing risks, and keeping your finger on the pulse by continuing to assess, train and assess again. Because while memories can fade and threats shift, the attackers will keep coming. Your awareness training must also continually adapt to keep up.