When it comes to cybersecurity, continually updating your employees with the latest security awareness education is one of the most important things you can do. Human error is cited as the most common reason for cyber intrusion and data compromise. Cybersecurity Ventures predicts that the security awareness training market will grow from $1 billion in 2014 to $10 billion by 2027.

While security awareness education has become an industry standard for maintaining compliance, the purpose of implementing a strong, thorough security awareness program is not to simply satisfy compliance criteria. The best security system in the world is still vulnerable if employees don’t understand their roles and responsibilities in safeguarding sensitive data and protecting company resources.

What does it take to create an effective security awareness training program?

Here’s a breakdown of a program’s key elements that answer these three questions:

    1. Who should be involved?
    2. What should be covered?
    3. How can you create a program that isn’t forgotten or ignored?

The Who: 3 Distinct Audiences of Security Awareness Training

Let’s face it: Not everyone takes cybersecurity as seriously as we do. This can make engaging people around the topic of security awareness difficult. To maximize the retention of security awareness training, it’s helpful to contextualize the content based on what’s most relevant to your employees.

Here are three different audiences to consider with security awareness training for your employees:

    1. Management—There’s often a disconnect between the boardroom and the security team. In order to break down these silos, it’s important to connect your information security training to the larger business objectives that senior-level leaders and board directors care about. As you consider this audience, here are few tips for breaking down the silos between boards and cybersecurity teams.
    2. Specialized Roles—Whether you’re a hospital or retail store, the unique roles within your business are susceptible to attacks in different ways. The threats that impact the cashing and accounting team look different than threats that might impact the procurement team. Both teams should know how to protect against the threats that impact their specialized roles.
    3. All Personnel—In today’s world, everyone within your business needs to have a basic understanding of the possibility of a potential attack and their roles in it. One of the best ways to make sure company employees are less susceptible to costly errors is to institute company-wide information security training initiatives that cover the most important security principles.

Now that we’ve identified who should be involved, what should you communicate as part of your security awareness training program?

The What: 6 Critical Security Awareness Training Topics

An effective security awareness program must have a variety of communication methods and include a range of topics educating the user about the array of tactics utilized by cybercriminals in today’s world. These include:

    1. Physical Security—Securing the building’s perimeters and internal areas containing sensitive information is an important first step.
    2. Password Security—Employees should have an understanding of why the enforced password requirements are important for protecting themselves, as the users, and the company.
    3. Phishing and Spear Phishing—Employees must be aware of phishing and the consequences associated with the latest phishing methods.
    4. Malware—Avoiding Internet content laden with malware may seem intuitive to those in the information security field, but to the everyday user, avoiding this content is typically not at the top of their minds and is certainly not instinctual.
    5. Wireless Security—Given the increase in wireless devices and communication, employees should be made aware of the importance of using only secure, approved wireless networks.
    6. Safe Internet Browsing—Employees with access to the Internet should be familiarized with the potential hazards associated with visiting unknown and/or unapproved websites. They should also understand that if a site is blocked, it is most likely blocked for a good reason.

If employees are aware of these terms, definitions, and the impacts they may have on a business, they will be better equipped at making security-conscious decisions while performing their daily tasks.

The How: Security Awareness Training Case Studies

How can each of these ideas make a tangible difference for your business? Here are two Nashville-based companies who are excelling when it comes to security awareness training:

    1. Anderson Benson, an insurance and risk-management firm that handles cybersecurity cases, helps their clients understand the latest cyber and data breach mechanisms. They also take it a step further by repurposing their findings for their own internal audience to stay informed.
    2. Patterson Intellectual Law of Nashville has also excelled when it comes to educating employees on security awareness. For example, the firm recently created its own policy governing cybersecurity practices such as password management, secure document storage, network access, use of personal devices, cloud service vendors, and more.

5 Strategies to Help Employees Become More Security Savvy

There are many reasons why security fails, but one of the most overlooked is people. The most sophisticated security technology tools can protect you from a lot of malware and viruses — but it can’t always protect you from users who fail to practice proper “cyber hygiene” —and unknowingly put information at risk through bad cybersecurity practices.

  • Have you downloaded work files to your unsecured home computer so you could continue working?
  • Have you emailed sensitive information to your personal account for later use?
  • Have you accessed information over a public Wi-Fi network such as Starbucks?
  • Did you give your co-worker your password “just in case?”
  • Is your password “password”?

This shortlist of common security “fails” happens far more frequently than your executives would like. Honestly, they can be some of the biggest offenders, right?

Many employees, do not have strong security awareness or the necessary training to be practicing the vigilance that’s needed to keep data secure. A good place to start is educating employees on how they can help companies minimize their risk of data theft. Let each individual know they play an active role in the strength of an organization’s cybersecurity. A sizable percentage of the workforce don’t think they have any responsibility for assisting IT departments with system and network security.

Here are some practical strategies to help employees become more security savvy:

1. Create a Security Culture

It seems obvious given the high-profile breaches we’ve all seen in the news, but not enough organizations make cybersecurity a priority. They also don’t provide employees with detailed security education and training. Frequency matters too. A training session once a year is not sufficient. Focus on regular reminders and updates to training. Don’t forget to train senior staff, including the C-suite. Make sure onboarding for employees includes adequate security training, from best practices on password strength to securing physical office spaces.

2. Use Real Examples to Educate

Information here is key, as employees will respond to real-world examples. Be sure to share details of publicized data breaches, and how the initial entry point is often gained through personnel lapses, human error or lax security measures. Show them how what might seem a harmless practice can lead to breaches and quantify how that hurts your organization.

3. Make it Easy for Employees to Help

Everyone knows now that an email appeal from a Nigerian prince should be deleted, but employees need to learn the different kinds of attacks and vulnerabilities companies are faced with to equip them to identify threat more easily. Create documentation and training aids for employees to reference. Develop a reporting and escalation process for how employees should respond if they suspect a cyber breach.

4. Be Supportive

Cyber Security knowledge is not easily or universally understood. Many in your organization have never had to consider cyber threats. That’s OK. Provide them with an open environment to ask questions where they won’t feel judged for knowing less.

5. Secure C-Suite Buy-in

Sometimes senior leadership has not prioritized security because they haven’t connected the dots to the larger business ramifications of security fail. While high-profile breaches at Target and Sony have caught the attention of boards and executives, many security teams still have to fight for the additional budget and elevated prioritization that shoring up digital defenses requires.

How can security professionals overcome this institutional challenge? Think about ways you can tie security goals to larger business outcomes and objectives. Executives think in terms of risk and reward — explain how the company’s cybersecurity practices are exposing the company to larger problems — and how it could impact business.

Maintain your credibility by keeping the threats you raise in proportion with your company’s overall risk profile. Don’t inflate risks or speculate about possible issues – keep the challenges you discuss with leadership grounded and relevant. This will pay off when you need to report on threats that are urgent.

It may seem like cybersecurity is a technical matter. In many ways it is, but it’s worth remembering that security has many sides, it’s not just about firewalls and encryption. Time spent strengthening the link between people and cybersecurity is an investment that all companies should make in order to ensure everyone is doing their part to help keep your networks secure.

Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.

Are You Ready to Enhance Your Security Awareness Training Program?

Whether you’re looking to strengthen your entire network security program or update your awareness training, our team at LBMC Information Security can help. Feel free to check out our library of resources and podcasts, which provide specific insights you can use to enhance every area of cybersecurity. Or, connect with our team to learn more about how we can help develop a security program plan or training framework.