As the saying goes, your organization is only as secure as your weakest link. And while that’s true for your network and environment, it’s also true when it comes to your organization’s employees.
Criminal hackers and threat actors know that employees are an attack vector that’s difficult to safeguard with tools and software. That’s why so many resources are devoted to exploiting them via phishing, business email compromise [BEC], and social engineering attacks. The 2020 Trustwave Global Security Report found that 50% of incidents from phishing and social engineering cause the most frequent breaches across multiple corporate environments.
So, while you may have the latest in security tools, a fully equipped and staffed security department, and full visibility of your network, it may be all for moot if an employee accidentally opens a malware-infected attachment and unleashes it on your network.
That’s why security awareness training is incredibly important to make sure your employees know what attacks look like, what to look out for, what to do if they encounter an attack, and what processes to follow.
But if you’re only providing security awareness training during an employee’s onboarding and never follow-up, your employees aren’t likely to retain the information and the information will be quickly outdated. There’s a better alternative.
One of the most effective ways to ensure your employees know what risks to look out for is to have a security awareness training program that refreshes every year. This helps ensure you can update your training to account for any new threats or attacks, and you can tailor your training to new changes within your organization. Your security awareness training must reflect the unique risks your company faces and should be updated every time your employees undergo new awareness training. Here are a couple of questions worth asking
One of the biggest changes that has affected the majority of companies is the shift to remote work. That brings its own set of cybersecurity challenges and risks, especially on the employee-side of things. Your awareness training needs to reflect that and make sure it’s addressing their new environment. Without accommodating for these new risks, you’re just training employees on outdated information.
A company’s growth informs the risks posed to it by criminals and nation-state actors, especially if a company’s growth is global. Your training should reflect the fact that your employees in different geographical locations may find themselves under different kinds of attacks.
Updating your training isn’t only an introspective task. You have to make sure you’re up to date on new external threats facing your organization—knowing what the most common attacks are, how new threats have evolved, and how employees are likely to be targeted. For example, new email phishing attacks are hiding malware in documents accessed via Dropbox or other cloud links so email security tools won’t flag them.
Your security awareness training should reflect the tools, software, and environment your organization is working in. Email is an obvious vector but are your employees constantly logging into cloud-based services? Are they sharing documents often? How many third-parties or subcontractors are they working with? Do these tools or products offer any kind of additional security options such as MFA or 2FA? Being as specific as possible will help tailor your program and give employees specific examples to work off of.
Work-life balance continues to mix and it’s harder and harder to separate the two given how online everyone is these days. Even if social media isn’t a part of your company, your employees are likely to visit social media sites and a recent report found that a third of employees visit adult sites with their work laptop. Not addressing that in your training will leave your organization exposed.
If your security awareness training involves simulated phishing, social engineering, (spoiler alert: it should) or similar attacks that lead to a “successful” attack or breach, then it’s important to follow up with the employees who “failed” the simulation. It’s not enough to re-test them or have them go through the same training as before. Instead, you should have a follow-up strategy that takes them through additional security awareness training and then, in time, simulates another attack to see if they fall for it again.
Bringing in a team of experts or consultants to help you conduct your security awareness training program is advisable as they can provide and utilize the most up-to-date data and threat intelligence while also applying specific training tailored to your environment based on your employee size, industry, and products.
Security awareness training should be considered as an investment in risk management. By making your employees aware of the threats they’ll face regularly and giving them a process to follow if and when an issue occurs, you’re minimizing the risk of a huge threat vector - human error.
If you follow our best practices and guidelines, you’ll be able to be confident that your employees, new and old, will know how to keep your environment free from attacks.