In every cybersecurity case, one thing is almost always true: Somewhere along the line, one or more employees made a mistake. It can be your accountant clicking on a link in a cleverly crafted scam email and unwittingly providing the fraudsters with a login to the accounting system. It can be someone in the IT department misconfiguring something during setup.
I don’t mention this to blame employees, who, in essence, are trying to win an unwinnable game of cat and mouse. On the contrary, I say this to keep your business and its critical or regulated data safe. Your security measures play a crucial role in doing just that. Your employees must identify and stop every cunningly devised scheme that the evildoers dream up, every time. And your actions play a significant role in ensuring they can do just that. A seemingly endless army of bad guys, who have an infinite supply of new tricks, only have to deceive one person, one time, to empty your company’s bank account, launder your funds through cryptocurrencies or sell your data on the dark web.
Security Awareness Training
Nearly every IT security standard, just about every regulatory body and even some state laws have begun to prescribe — if not require — regular security-awareness training as a critical component of a cybersecurity program. Employees are the last line of defense against threats. Our technical-security controls, such as email-gateway defense or anti-malware solutions, as well as cybersecurity policies, only succeed if our employees maintain that security posture. When a scam email lands in your employee’s inbox, it is now entirely up to them to identify the threat and respond appropriately. Unfortunately, scammers are constantly finding new ways to bypass existing controls. Therefore, more and more risk centers on your employees making the right call when doing so counts.
This is where security-awareness training for employees comes into play. The idea behind it is to fortify your last line of defense or, as it’s commonly referred to in the cybersecurity industry, your “human firewall.”
If you search the web for the term “security-awareness training,” you can find anything from one-off videos or articles; to pages with a small, basic assortment of training resources; to managed and regular training and compliance programs; to live training engagements. Cybersecurity and standards organizations, such as NIST, HIPAA, DOD, etc., make many free resources available. These resources are a great place to start for small businesses with small budgets. Where you may find these resources fall short is in their ability to be managed with scale and be relevant. In addition, most government or regulatory requirements dictate that you must be able to track who took which training and when, and they should be able to prove that they paid attention to it. These free resources usually will not have any functionality to enable this detail-oriented approach.
Unmonitored, Without Updates
Your workers face threats daily, and they tend to be timely and relevant (e.g., Christmas-themed scams, a donate-to-Ukraine email). At the same time, most frequently, this static and generalized security-awareness training would be completed upon hire and, again, maybe only once annually. Most people would agree that they want their antivirus software updated frequently, with timely and relevant information. But this more lackadaisical approach to security-awareness training leaves your human firewall unmonitored and without updates for extended periods.
At the other end of the spectrum, live and intensive training programs significantly increase attendees’ passion for, and understanding of, the topic at the macro level. However, they do not tend to be cost-effective or scalable, nor are they truly effective in changing behavior on a day-to-day basis. Consider that, on average, you will forget about 80% of everything you learn on any given day. And since these programs tend to be scheduled in advance and require an admission price that has to be in line with an in-person or cohort-based virtual event, they tend to be cost-prohibitive. It can become a logistical nightmare to get all employees to attend.
On the other hand, these programs are a great option to get leadership, staff who have cybersecurity responsibility, and those with access to susceptible data or systems onto the same page and in agreement about the level of risk and responsibility in front of them.
Best Approaches to Cybersecurity Awareness
This brings us to an important question: What is the best approach to increasing cybersecurity awareness? An ideal plan should meet the following essential requirements:
- A comprehensive annual training, as required by many regulatory bodies and laws. These programs should be provable (such as with a test) and trackable (who completed the program and when).
- Your security-awareness training program should provide timely and relevant reminders (for instance, “Think before you click”) in bite-sized chunks to help employees keep security at the top of their minds. Completing these should also be trackable and more or less required, depending on the employee’s access or their propensity for making security snafus.
- The training program should be easily, if not automatically, manageable. It should also be customizable per employee.
- It should be as cost-effective as your antivirus is, requiring a small spend per endpoint (or, in this case, per employee). It should also minimize the administrative overhead required to manage the system.
- This one is the most important: It has to be easy and engaging for employees. Doing security-awareness training should be as simple as checking your email, and the training should be interesting — even fun. It should also be memorable (at least for a couple of days).
Mat Kordell is vice president of operations for CyberStreams, a member of The ASCII Group since 2022. For more information, go to CyberStreams.com.
