Security awareness training: Topics, best practices, costs, free options – Source: www.csoonline.com

What is security awareness training?

Security awareness training is a cybersecurity program that aims to educate everyone in an organization about potential cyber threats, as well as actions they can take to help keep the organization’s assets safe. Security awareness training seeks to reduce human cyber risk by ensuring employees can understand, identify, and avoid information security threats as a first line of organizational defense.

Most employees remain uninformed about cyberattack techniques that impact their daily work but also how to respond to them. A well-tailored security awareness training program will help them understand whatcybersecurity threats they might encounter in their own role and howthey can adapt security best practices as part of their workflow — without overloading them with more tasks or information than they need to do their jobs effectively.

Why is security awareness training important?

Most employees don’t see cybersecurity being part of their job. As a result, they need to be provided training to understand the vital role they play in helping defend the organization from cyberattacks. There are two main reasons for this:

• Humans are cybersecuritys’ weakest link. Business users may be correct to think that tasks such as rolling out endpoint protection suites are somebody else’s problem (specifically, the cybersecurity team’s). But as the SANS Institute points out in its Security Awareness Report, “People have become the primary attack vector for cyber-attackers around the world.” Kapersky’s “Redefining the Human Factor in Cybersecurity” report found that 64% of cybersecurity incidents were caused by human error. As such, everyone in your organization must be aware of the threats they face. SANS specifically calls out phishing and business email compromise as two of the top three threats to organizations today. Cybersecurity pros cannot sit next to their coworkers every day to intercept these kinds of social engineering attacks, so security awareness training is necessary to keep everyone aware of potential threats and how not to fall prey to them.
• Security awareness is often mandated by government and industry regulatory frameworks. Toensure greater security overall, many industry-standard security frameworks include regular security training as part of their mandates. This is particularly true in highly regulated industries where privacy and security are paramount. HIPAA, for example, mandates “a security awareness and training program for all members of its workforce including management” for any company or organization that handles healthcare data. PCI DSS does as well for companies that accept credit card payments. The truth is, for most organizations, security awareness training isn’t just a good idea: It’s required.

Security awareness training topics

Security awareness training should focus on topics nontechnical employees need to know about — and can act on. Training on the following are essential:

Phishing and social engineering. Social engineering scams — not just email phishing but voice and text scams as well — are the No. 1 way attackers get access to a company’s systems, data, and finances. As such, employees must be educated on how these attacks work as well as how to spot their tell-tale signs and what to do if they encounter such a situation.

Beyond straightforward education, one of the most common types of security awareness training involves sending fake phishing emails to employees and rewarding them (with anything from praise to gift cards) if they successfully spot them and report them to IT. Higher-risk employees, such as executives and those with access to company financial accounts, should get more intensive training on the more targeted spear phishing attacks they’re likely to face.

Passwords. Boring but still a linchpin of corporate IT security, proper password hygiene is another key topic for security awareness training. If you roll out a password manager for your business, its optimal use can be a covered by this topic as well.

Personal device use and remote work. Imposing a strict work/life distinction on employees is for most organizations a lost cause: Employees inevitably use corporate devices for personal browsing and answer work emails and texts on their personal phones. The boundaries have been further blurred by the post-pandemic rise of remote work. Employees need to know how best to navigate this landscape.

Incident reporting. In addition to learning to recognize potential cyberattack dangers, employees must also learn how to report them to your team so you can do something about it. It is also worthwhile to stress why it is important to report incidents to the security team, as what may seem an obvious phishing attempt to one employee may not be obvious to another. Alerting the security team can help ensure such attempts, which often target a wide range of employees, are quickly addressed.

Security awareness training best practices and critical components

We’ve covered the whyand whatof security awareness, but the howmakes all the difference in ensuring training is effective. Here are the building blocks of a good security awareness training program:

Content — and lots of ways to deliver it. Obviously, you need the gather the information you want your employees to learn, but you’ll also want to serve up this knowledge in a variety of formats, including videos, blog posts, interactive scenarios (like the simulated phishing emails mentioned above), lunch and learn sessions, and more. And yes, this all needs to be fun as far as workplace training can be. Both the information and delivery methods should be customized to various employee groups: the CEO and entry-level sales associates both need security awareness, but should get it according to their needs.

Support within your organization. No matter how fun your content is, it isn’t going to succeed if you don’t get buy-in for your training program across your organization. Getting executive leadership on board is vital, and individual departments must also be involved in the rollout and consulted rather than having another mandate foisted upon them. Working with HR is also key, as HR is not only a key department for training programs but also a vital partner in helping enforce completion mandates and targets.

An incentive structure. Whether it’s gift cards, continuing education credits, or public acknowledgements, you need some method to make learners feels like superstars when they do well in the program.

A plan to quantify the results. Security awareness training isn’t a one-and-done deal — you need to keep track of who’s doing well, and what areas need further attention. This will help you craft the program going forward and explain to leadership how the training is improving security around the company.

For a deeper dive on all this, check out “7 elements of a successful security awareness program“ and “4 steps to launch a security awareness training program.”

Security awareness training costs and ROI

Many organizations choose to contract with an external vendor to provide security awareness training services. Though there are a number of criteria you can use to judge these companies, cost is going to be an important factor that in turn depends on the level of service you receive, ranging from self-service platforms that provide learning modules to full-service consultants who run training for your staff in person.

Caniphish breaks down the numbers across the spectrum of vendors, estimating that costs can range from $0.45 to $6 per employee per month depending on the level of service, with most vendors offering discounts for larger employee pools.

Even if leadership has bought into the idea of security training, price will likely be a concern you will need to justify. Can ROI for security awareness training be computed? In a 2017 study, Aberdeen Group attempted to run the numbers to determine the value of an “incremental” security awareness training program, comparing the price against potential losses to phishing and other classic human-focused security attacks. It concluded that such programs result in a median reduction in the risk of phishing attacks of about 50%, and a median 5X annual return on investment. These numbers are widely trumpeted by security awareness training vendors, but could provide a baseline to take to organizational leadership. You can also use various industry-standard IT risk assessment frameworks to quantify the cybersecurity risks your organization faces; this is another tool in your arsenal to convince management of the value of security awareness training.

Free security awareness training content and videos

For organizations that want to build trainings internally, there are plenty of great free and open-source resources out there:

• The US federal government’s Cybersecurity and Infrastructure Security Agency offers a number of trainings and exercises, and while these are tailored specifically for the needs of federal employees, many are free to use for the public.
• NIST’s cybersecurity division offers a roundup of free and low-cost cybersecurity learning content.
• The SANS institute offers a number of resources for free, including free trainings.
• Cyber101.com offers introductory cybersecurity training free of charge.
• SC Training offers a good list of free cybersecurity training courses for various kinds of organizations and employees.
• Gophish is an open-source framework that allows you to simulate phishing attacks to test your employees.

Implementing these tools will take time and internal resources, but you may find they help strike a balance between cost and security needs. Good luck!

More on security awareness training: