You live in the digital age. No matter the industry of the company you run, manage, or work for, digitized data, information, and communication are an integral part of your organization’s successes. Important emails keep your company connected; important charts, data and figures keep your projects competitive. In the wrong hands, however, all of this digital information can lead to security breaches that can cause data and financial losses, as well as damage to your company’s reputation in the marketplace as a result of improper or inattentive human behavior.
For these reasons and many more, you should seriously consider implementing a comprehensive security awareness program within your organization. A security awareness training program can be defined as a series of formal and informal learning activities and resources designed to raise employees’ awareness of corporate policies and procedures for working with information technology and sensitive data, improve their skill set for avoiding risk, and promote a positive attitude toward secure behavior. In this guide, we will share the key elements of an effective security awareness training strategy, some of the major pitfalls that can render security awareness training ineffective, and additional information to consider when implementing a security awareness program to secure your company’s digital property and information.
Why Should You Care? In 2014, an IBM study found that up to 95 percent of all security incidents involved human error. No matter how intelligent, competent, and devoted your staff is, without the right knowledge and training, your company is vulnerable to a plethora of security threats. A closer look at internal negligence, loosely defined as any unintentional actions committed by staff members that results in your company’s data being leaked or ending up where it shouldn’t, will further illustrate why every successful company and organization, large and small, can benefit from an effectively designed and managed security awareness training program.
Now is a better time than ever to start considering the benefits of comprehensive security awareness training. As illustrated by a recent string of high-profile “hacking” and data loss cases, from 2014’s highly publicized Sony Pictures hacks to a massive data breach that affected 70 percent of South Korea’s population, data breaches are on the rise globally.
Furthermore, the cyber security community has been predicting growing data loss for some time now. In 2011, cyber security was named one of the top five global risks for companies by the World Economic Forum in Davos, Switzerland. The report cited an increase in the use of cloud computing and a greater reliance on mobile devices as two of the primary reasons why more data loss would occur in the future, which are trends that have continued and will continue in the future.
These increasing rates of data loss and heightened risk of security threats are not going to vanish, and you need to drive employee awareness of security and the best practices to confront these issues head on. Revisiting and further delving into the threat of internal negligence will illustrate why instituting security awareness training is one of the smartest security measures for your organization. Investments in hardware and security software to protect corporate and customer data are essential. However, without a defined security awareness training program, your organization will likely remain at risk of a potentially significant security incident.
There is a common misconception amongst managers and IT professionals that places the threat of data loss from employee behavior as a low to medium risk. In reality, this threat is even greater, based on recent industry data, events and analysis like the IBM study noted earlier. Even when organizations are aware of the threat that is posed by the potential employee of data leaks by employees, it is widely assumed that employees are most likely to jeopardize data security when they are disgruntled or acting maliciously. While insider threats are a legitimate concern, a study commissioned by Cisco proves, however, that there are two crucial and overlooked areas that contribute to employee-caused data loss that have nothing to do with malicious intent: the lack of awareness regarding threats and the lack of diligence to adhere to proper security best practices and procedures to mitigate them.
A lack of awareness in employees usually revolves around misplaced expectations from IT workers and corporate managers who assume that common sense and professionalism will inform the actions of employees enough to provide a level of security awareness. The Cisco study cited above provides some surprising data: 43 percent of IT professionals admitted they are not educating employees well enough. A lack of awareness on the part of employees comes from this lack of education. As a result, employees are not knowledgeable about which security practices to perform, avoid, and which will jeopardize company data.
A lack of diligence is characterized by employee behavior that, while not intentionally malicious or destructive, puts data security at risk due to employees not properly handling sensitive information. This lack of diligence ties back to a lack of awareness; employees who are not aware of good security practices cannot diligently enforce them. It stems from something else too: an attitude of apathy towards security practices, with 43 percent of IT professionals in Cisco’s study blaming this lack of interest on the quickening pace of work.
These two larger trends, a lack of awareness and lack of diligence, translate into several risky behaviors. A second Cisco study, entitled “Data Leakage Worldwide: Common Risks and Mistakes Employees Make,” details some of the most common risky behaviors that employees unintentionally engage in, all of which belong to the category of internal negligence:
Since employee networks often provide access to sensitive information, it is smart to list some applications and programs as “unauthorized” for use on company computers and networks due to the applications’ instability or ease of breach. Cisco’s survey found that employees often engage in the use of unauthorized applications regardless of rules, stating that 78 percent of employees surveyed had accessed personal email from their work computers, about half of which represents unauthorized use. Furthermore, using unauthorized social media tools and applications, like Facebook, Twitter and Instagram to name a few, on company resources (PCs and networks) further amplifies the impact that unauthorized applications can have on an organizations ability to protect its data. Users of these applications also open up access for hackers to find indirect ways to access personal information from these sites that can be used later to effectively compromise corporate security information through sophisticated social engineering and spear phishing attacks on targeted users.
“Tailgating,” the common practice of letting unfamiliar and potentially unauthorized individuals into security areas by “holding the door” or otherwise compromising secure physical spaces, is a very frequent occurrence in almost all larger corporate settings, and often results from a desire to be polite or neighborly rather than a malicious attempt to provide unauthorized access. Unauthorized access is common on networks where employees often wander unintentionally into areas of a company’s network they are not authorized to access. Cisco’s survey found that 39 percent of IT professionals have had to deal with problems related to unauthorized physical and network access.
Logging out of a computer when it is not in use and protecting devices with secure passwords is one of the most fundamental and basic security practices, but Cisco found that an alarmingly high percentage of employees often do not engage in basic login/logout and password protection procedures. One in three employees admitted to leaving the computers on and their accounts logged in while away from their desks, an example of a lack of diligence that puts company data at risk.
Again, these practices are dangerous but they are not necessarily malicious or based on employee mal-intent. Data shows that insider threats, like those presented by internal negligence, are the top source of data breaches. It also shows that the inadvertent misuse of data and lack of strict adherence to security practices by employees, represented by a lack of knowledge and lack of diligence amongst the workforce, was the leading cause of breaches. Furthermore, ignorance is the leading culprit. In a recent Forrester study, less than half of the North American and European SMB workforce responding to a survey had received training on proper security measures, and barely more than half cite that they have an awareness of their company’s current security policies.
That data overwhelmingly shows that insider related data security incidents are on the rise, with serious implications. Also, these security incidents are often the most costly, according to a recent PricewaterhouseCoopers (“PWC”) study. When you truly consider what is at stake when a security incident caused by internal negligence occurs and consequences when a company leaves its employees ignorant by not providing effective security awareness training, you understand just how serious the internal threat can be. IT professionals certainly understand this threat. However, most non-IT related employees, as well as executives and corporate managers, often only engage in an active security awareness training program once they have been directly impacted by an incident - after the damage has been done.
At a basic level, internal negligence can result in the loss of the data that keeps your company working efficiently and economically. The kind of data that gets compromised varies widely, and can include private customer data, sensitive internal memos and information, and valuable corporate strategy and tactics documentation. In a fundamental sense, all data loss has a negative economic effect on your company: as soon as your internal workings and operations are exposed to the public, there is no guarantee that what makes your business unique and profitable will continue to be proprietary. Furthermore, the negative effects of data loss go far beyond the basic and economic.
Since customers, partners, and the public all put trust in your company to be able to operate securely, data breaches can have a huge, negative impact on your brand’s reputation and company’s image. A recent Experian/Ponemon Institute study highlights just how much of an impact this damage to brand identity has on corporate reputation and found that it can take up to a full year for a company that has had a major data breach to restore customer faith. The real economic impact of this damage to reputation is staggering: the very best that your company can hope for, based on the study’s survey data, is a 12 percent loss of value following a breach.
The soft, non-economic loss resulting from brand damage can also be tremendously harmful to your company. Scott Goodson, author of the authoritative book on modern branding entitled Uprising, calls branding “a promise mark as opposed to a trademark.” Before you have a chance to impress clients and partners with your business’s internal workings, the first impression they will get of your company is based on your branding. Your brand conveys credibility, professionalism, quality, and so much more that can be easily monetized. When you suffer a data breach, the very way in which your company presents itself can be fundamentally jeopardized.
The damages of a data leak are not strictly related to your company’s reputation to new or prospective customers. Project delays hurt relationships, and when data breaches occur it is inevitable that the time it takes to clean up messes, assess damages, and secure your internal workings will have an impact on your ability to deliver on client obligations. When you are late in delivering a project and have to tell your existing clients that delays are due to security issues on your end, you make it hard for that customer to trust you to deliver in the future.
Marketing studies demonstrate the intuitive importance of building trust with your clients; it isn’t an exaggeration to argue that the number one factor in determining if clients become repeat customers and continue to help your business grow is whether or not they trust in your ability to deliver. When data breaches occur, your brand isn’t only damaged amongst future buyers who don’t know if your business can be trusted to keep their data safe, it’s damaged amongst current clients who can no longer trust you to meet deadlines and project expectations. This damage to existing client relationships can destroy your business, and its importance cannot be overstated.
Have the immediate, devastating costs outlined above still not convinced you of the severity of data breaches caused by internal negligence? Consider this sobering reminder: once a breach occurs, your problems have not come to a climax but have just begun. Remediating a data breach and cleaning up the mess caused even by the least malicious occurrences of internal security breaches is an incredibly time-consuming and costly process.
The procedural actions that your company will need to take in the wake of a data breach, to secure your information against repeat attacks and repair damages, are extensive and overwhelming. The Privacy Technical Assistance Center, a subdivision of the U.S. Department of Education, lays out a basic checklist of what companies need to do to respond to a data breach. Here are some of the recommended steps, condensed for presentation:
The first step your company will need to take is to begin an investigation and verify that an actual breach has occurred. Moving quickly to address a breach that never occurred is a waste of time, so companies need to examine data logs and determine if a breach has, in fact, transpired. If possible, companies should also identify the type of information that disclosed during this step, and uncover as much as they can about how the data was disclosed.
Once a company has confirmed that a breach has occurred, the next step in stabilizing the situation is to assign a senior-level manager or IT officer to serve as an incident manager, and coordinate your overall response strategy. This manager will have to forsake their usual duties, and devote all of their time to laying out a breach documentation, reporting and response strategy, as well as help your public relations team and customer relations team decide how to release appropriate messaging about a breach occurring.
In addition to the senior manager who will coordinate your breach response, other members of your team will need to devote a large percentage of their time to remediation. Management, IT, legal, public affairs, risk management, finance, audit, and possibly HR representatives will all have to work together to determine if a breach is ongoing, document all response efforts, and advise your company on what breach details can be disclosed and to whom.
The incident response team will have to work quickly and definitively to determine the cause of the breach, and involve the necessary legal authorities if criminal activity is suspected. Additionally, all potentially affected devices will need to be identified, evidence will need to be diligently preserved, and interviews will need to be conducted with personnel in all departments where the breach could have originated.
Data owners will need to be notified immediately, and there are a lot of other agencies that may or may not need to be informed when your company experiences a breach. Depending on the nature of your company, different government agencies may also require notification. State and national law enforcement agencies may need to be alerted as well. Depending on the severity of the breach and the nature of the data disclosed, you may need to notify more affected individuals, or your entire customer base and client network. Who needs to know about the breach and how much will be situational, and will be determined by the incident manager and team.
Once everything has been done to ensure that the breach isn’t ongoing, has been pinpointed, and has resulted in the right people being told what they need to know, a (probably) smaller version of your response team will need to review all of the documentation relating to the breach. In-depth analyses will need to be done to make sure that there are no breaches in the future, plans will have to be devised to respond more effectively should another breach occur, and recommendations will have to be made about appropriate security awareness trainings to minimize the chance of another occurrence.
Sound Like a Lot of Work? It Is. Your team will have to work around the clock to manage a breach, and productively will be severely compromised in the meantime. The responses above only outline procedural necessities. Your company will need to take measures above and beyond the bare minimum to remediate a breach.
Notably, you will probably need to assign a team to manage the fallout relating to client relationships discussed above. Your PR team will need to work on conducting positive branding initiatives, to try to reassure your current clients and prospective customers that your company can be trusted in the face of a security issue. Your customer relations department will need to talk with legal and decide what level of transparency is appropriate and possible since clients will expect you to be honest and open about what transpired. All of this time from your personnel is not the only price you should expect to pay when remediation is necessary. There is a large dollar cost associated with remediation as well.
Depending on the nature of your business and the severity of the breach, it is likely that those affected will seek reparations for damages caused by the security leak. The case law surrounding security breaches is developing and not very definitive, but you can expect to spend a good deal on legal fees to settle dispute matters with affected individuals in court, and may be ordered by a judge to compensate affected parties for damages - all of which will add up fast.
On average, data breaches cost $3.5 million dollars in total for midsized companies. This cost includes the price tag of everything mentioned above, from the labor costs of assigning a sizable team to clean up messes to the loss in revenue caused by damaged client relationships.
What can you do? PWC’s “2014 US State of Cybercrime Survey” paints a clear picture: if you want to avoid the enormous costs of a data breach, investing in security awareness training is one of the smartest decisions you can make. Companies who elected not to conduct comprehensive security awareness training for new hires reported suffering an average annual loss of $683,000 while companies that had appropriate security awareness training in place suffered only $162,000. Compared to costly remediation procedures in the future, an investment in security awareness training today is an economical and obvious choice.
At this point, after hearing about all the dangers of internal negligence and the issues that can arise when your company experiences a data breach, you are probably curious as to whether security awareness training is right for your business. Here is a list of all of the different types of organizations that can benefit from security awareness training:
The healthcare industry generates a vast amount of data, most of which is now digitized. Every time you see your doctor and fill out a questionnaire, pick up a prescription, or rush to the ER, your healthcare agency collects and stores this information. If your company deals with the healthcare field, you know just how important this data’s privacy is.
From an ethical perspective, privacy is critically important for health data. Our society expects a certain level of anonymity where their health data is concerned: it’s fine for your doctor to take notes, but if anyone else sees them and can tie them to you, there is a serious problem. As the healthcare industry changes and becomes increasingly digitized, patients expect the same level of privacy. This is why breaches can be so devastating for healthcare agencies, and why comprehensive security awareness training, including specialized training on Health Insurance Portability and Accountability Act (HIPPA) rules for securing healthcare information, is so important.
Not surprisingly, as in the economy at large, human error is the leading cause of breaches in healthcare data storage. According to Identify Theft Resource Center director Karen Barney, 81.6 percent of medical data breach incidents in 2014 could be attributed to human error. Again, statistics show that negligence is to blame the majority of the time - not malicious intent. With high profile cases like the recent Anthem Blue Cross hacking incident, patients are more nervous than ever that their data may be compromised. If your company operates in the healthcare realm, you can help make it a good example of what smart data protection looks like by investing in security awareness training to minimize the chance that your employees will inadvertently cause damages through a lack of knowledge or lack of diligence.
You might think that governmental organizations already know everything they need to about security and already have all of the necessary training procedures in place. However, a 2012 report published by the American University of Sharjah, UAE, found that in many countries in the Middle East and across the world nations that have not traditionally seen high Internet usage rates have failed to adequately address security concerns within governmental offices. As states rapidly modernize across the globe, governments that are becoming digitized for the first time would be wise to consider implementing far-reaching security awareness trainings for their staffs.
Believing the lack of security awareness training in government agencies and offices is only a problem overseas is naïve. As a manager of a government office or agency, making sure that your staff receives adequate security awareness training should be a top priority, no matter where your office is located. In March of 2014, the Environmental Protection Agency published a straightforwardly titled memo titled “EPA’s Information Systems and Data Are at Risk Due to Insufficient Training of Personnel With Significant Information Security Responsibilities.” You can probably guess the gist of the report: even individuals with access to sensitive data were not receiving the right training to protect it. The U.S Federal Government, as well as other state and local government agencies, are also required to provide security awareness training based on National Institute of Standards and Technology (NIST) guidelines and Federal Information Security Management Act (FISMA) compliance requirements, which are updated regularly.
Governmental security breaches aren’t just embarrassing and damaging to an office’s reputation, but can impact national policy and the ability to govern well. Comprehensive security awareness training is crucial in the governmental context, especially since the stakes of a data breach are so high.
Even if your company isn’t handling sensitive health data or highly sensitive governmental records, there is an enormous need for security awareness training. (Refer back to Section One of this guide for the list) Your employees can cause costly data breaches without meaning to if they suffer from a lack of knowledge or lack of diligence, and this kind of employee negligence hurts your company.
With the benefits of security awareness training being so clear in the corporate setting, you might think that every company conducts smart training practices. A study from April of 2014, by the Enterprise Management Associates, however, highlighted two important facts. First, 56 percent of employees surveyed along a wide range of firm and company sizes were found to have not benefited significantly from existing security awareness trainings. Second, 45 percent of responders did not receive training frequently enough to make the information useful or ingrained in their practices. It’s clear that corporations benefit from security awareness training. Yet, there is still a gap area resulting from security awareness training that does not effectively to engage and educate users, and does not provide continuous learning and reinforcement to promote greater user awareness and behavior change.
What types of organizations don’t benefit from security awareness training? Every company in every field can benefit from well-structured security awareness training since the use of digitized data as a key element of a business’s operation is so pervasive. The economy will continue to become more digitized, data will become even more and more important, and the right training to protect this data is needed by everyone.
We hope that at this point two things are very clear to you: security awareness training is vitally important, and no matter what kind of company or organization you manage, your staff can benefit from the right training program. What are the critical topics that an effective security awareness training program will cover?
First, no security awareness training program, regardless of how thorough, can make a positive change in the security behavior of your organization if your employees don’t actively participate. An effective program will focus the audience’s attention on the importance of what they are learning to both themselves and their organization. Effective security awareness training programs do this through a combination of communication materials and engaging learning activities that incorporate scenarios and examples that your audience can immediately identify with. The use of interactive multi-media platforms helps to draw further attention to important security messages and engage your busy workforce in this critical subject.
An effective security awareness training program will also approach training from square one, and assume that some or most of the participants in a training course have never had exposure to key cyber security terms. Of course, a well-rounded security awareness program like the one provided by Global Learning Systems is flexible with a series of best practice modules, so the security team at your company can determine where to start and what information to include. Programs should include the options for role-based training for those specific employees, like IT managers, that you would want to target with more in-depth and technical topics. There are, however, a lot of merits to starting at the very beginning and defining key terms and concepts before the meat of training gets underway.
Turning back to the study by Enterprise Management Associates, it is clear that employees who have been through security awareness trainings in the past haven’t gotten as much out of the programs as they could have. Starting at a basic level and cutting through IT jargon will set the rest of the training up for success by making sure that everyone is speaking the same language. Once a formalized training program has been established to train users on the basics of security awareness, follow-ups on training strategies can be implemented to provide users with training resources. These can include scenario-based and situational learning activities, to provide employees with new skills, knowledge and behaviors that promote improved practices and procedures. There are several key topics you should be sure to incorporate in your general security awareness training courses.
If you ever pictured hacking only happening in dark rooms, with powerful computers, and at the hands of hackers with the intent of breaking through your system’s codes, think again. Social engineering is loosely defined by Computer World as “the technique of using deception and manipulation to gain sufficient knowledge to dupe an unwary individual, employee or company.” Smart hackers will rely on social engineering to learn all about your company, and may be able to walk right into secured networks with the information they pry out of unsuspecting employees, never needing to tackle any security codes at all.
Sound security awareness training will cover a basic definition of social engineering, and will discuss, in-depth, some of the examples of common social engineering methods. For example, it is common for hackers to call employees and pose as a member of an IT department, claiming that they were sent to help the employee, and after quickly gaining their trust will be able to talk them into providing private and important data.
Or, like in a staged, real-life example at 2012’s Defcon conference in Las Vegas, a hacker might rely on social engineering to obtain some vital information about a network’s components and security before performing a more in-depth and technical data grab. Social engineers are adept at carrying out conversations naturally and not raising any red flags amongst the people they are talking to. First, you get a call from a “regional executive” telling you that the branch you work for is being considered for a major contract, and the executive needs your help to figure out some potential details of the project. By warming you up and making you feel important, and by relying on their phony authority, the social engineer is then able to get you to disclose information about your computer, your office’s networks, and much more, making an attack easy for the hacker to carry on in the future.
Social engineering is on the rise, and is now one of the weapons of choice in the hacking arsenal of everyone from common criminals to government-sponsored cyber terrorists. If your staff doesn’t know what to look for to identify a hacker relying on social engineering and doesn’t know about the threat of this kind of manipulation, you can bet that your company is vulnerable to a social engineering attack. Sound security awareness training should include in-depth information on this growing threat, and will provide scenarios, tips and tricks, and comprehensive resources to help your staff identify potential hackers relying on social engineering tactics. Implementing an on-going phishing/social engineering exploit testing program, in conjunction with training on social engineering threats, will also reinforce user education and awareness of existing and new social engineering threats.
Whether you’re in the government, corporate, educational or non-profit sector, your employees probably rely on email to communicate internally and externally on an almost daily basis. While email attacks are some of the oldest tricks in the book from a hacker’s perspective, there are still plenty of employees unfamiliar with how a malicious individual may try to harm his computer or breach his data through the guise of an email.
Effective security awareness training will be sure to focus on the do’s and don’ts of email safety, and will outline some of the most common email mistakes that make employees susceptible to email attacks. Some essential topics to be covered include: sending appropriate email content, understanding who should and shouldn’t be emailing from company accounts, and ensuring the recipient is authorized to have access to the content within the email the individual is sending.
Important to your company’s data security, effective security awareness training will also include spending a large amount of time discussing some of the ways that hackers can gain access to data through email scams. Attention should be paid to avoiding fraudulent attacks and phishing scams, avoiding malware and the common paths that malware can take to affect data through email, and the essentials of account security. Overall, your security awareness training program should highlight that email scams are some of the easiest and most used ways for hackers to damage your computer and access company data, and special vigilance should always be paid to suspicious appearing emails. These attacks are becoming more sophisticated and targeted to your industry, making it harder for employees to detect. Some scammers even pose as “your company” encouraging employees to share financial information to receive payment. Because of the call to action, seemingly coming from your HR department, employees are more likely to respond and trust the email message.
Your employees use the Internet for a wide variety of reasons from social networking to researching and compiling data for company reports. With an ever-increasing amount of time spent on the Internet, it is vital to your company’s security that your staff knows some of the basics of Internet security.
An effective security awareness training program will work hard to install the right “safety mindset” in your employees. Believe it or not, many people assume that Internet attacks won’t happen to them, or that online viruses are not all that common or are not something to worry about. Your training should place emphasis on the pervasiveness of common online attacks, and instruct your staff to think critically about Internet usage and related security measures.
Special attention will be paid to ensuring that individuals practice safety measures to secure their browsers and avoid unsafe websites. Employees should also be introduced to terms like online viruses, Trojans, malware and browser hijacking, with special attention paid to instruct your team on what they need to look for when identifying potential threats.
By addressing Internet security holistically, a good security awareness program will make sure employees are educated about the ever-changing and evolving threats present on the Internet, and will work to insure that employees know about company safety procedures and how important it is to follow safety guidelines. Internet safety isn’t about one threat or avoiding one virus, but about adopting a critical mindset when browsing the Internet, and translating this attitude into safe habits that will protect your company’s data. Security awareness training will help cultivate this kind of Internet use.
Password protection is one of the most basic and important fixtures of digital security, but too often your employees may be making big mistakes that can lead to their passwords, and your data, being compromised. Every year, lists of the most common passwords are published, and a surprisingly large percentage of Internet users still have passwords as basic as “123456” or “password.” Effective security awareness training instructors will discuss the importance of crafting strong passwords, but that’s just the tip of the iceberg.
Effective security awareness training will focus on the many aspects of good password etiquette, from changing passwords frequently to not using the same password for multiple accounts or multiple sites. Training around passwords should mention social engineering again as well, and make sure that employees are aware of how dangerous it can be to tell other people their passwords or write their passwords down. Additionally, password discussions should include guidelines on using password security how it is intended to be used, and instructing your employees about signing out of accounts when they are not in use and logging out of online sites rather than just closing browser windows.
Hackers are adept at guessing passwords, using programs to input common passwords and common word combinations, and all sorts of other means for accessing password protected accounts. Security awareness training should focus on the specific steps that employees can take to make sure their passwords are safe and strong, and not susceptible to hacker discovery. Training content should also stress the importance of passwords to protecting company data and networks.
With the percentage of web usage increasing every day, employees are more likely than ever to conduct company business on their mobile phones. While this can be problematic, even if your company provides a smartphone for official Internet use, there are many things that can go wrong from a security perspective where mobile phones are concerned.
First, most of the same Internet safety potholes that can attack computers, from viruses to malware and more, can affect phones as well. Many mobile phone users do not consider this fact, or may not have proper security software installed on their phones. Additionally, many specialized attacks against mobile targets have been released by hackers recently. Your employee’s phones pose an outsized risk as mobile usage grows and hackers become more attuned to hacking mobile devices.
Aside from online scams and Internet threats that can compromise phone security, one of the largest security threats specifically related to mobile phone use is that cellphones can be easily lost or stolen. When an employee loses a phone that has access to company data, there is no guarantee that the person who finds it will do the right thing and return it, and there is a likelihood that the data and access the phone grants can be problematic to your company.
Effective security awareness trainings should discuss the procedures your company has in place to report lost or stolen phones that have access to company data, and stress the importance of reporting lost or stolen phones as soon as possible to minimize the chances of a security breach. Additionally, security awareness training should focus on the similarities and differences of Internet security on mobile platforms, and make sure that employees know they are susceptible to most standard Internet attacks on their phone and a variety of attacks tailored to mobile Internet access.
While phishing is essentially a subset of social engineering, it is a common enough and important enough threat to warrant a more in-depth explanation. Phishing is one of the oldest digital security threats and is personified by the famous “Nigerian royalty” scam in which hackers talked individuals into giving out their bank account numbers in exchange for riches. Phishing is defined as the practice of a hacker, or someone else with malicious intent, trying to get information by promising something in return. By dangling “bait,” hackers can get people to do things they otherwise wouldn’t, like open suspicious attachments or click on unknown links. These scams are not easy to spot, and they are getting more and more sophisticated. Criminals are constantly thinking of new phishing scams that are hard to detect and are targeted towards specific companies, even posing as organizations’ HR, IT or billing departments
“Spear phishing” attacks, where a hacker will target one individual with a scam precisely tailored to them, are very hard to detect. A financial worker at your company could be tricked into turning over account information by a hacker pretending to be an executive looking for bank statements and offering a promotion, or a clerk could be tricked into turning over passwords by a phishing scam offering time off if an email is replied to quickly.
Sound security awareness training will focus on helping your employees identify phishing attacks, and will again encourage your employees to treat all online communications with a critical eye. By educating your staff about the common forms of phishing scams, and about the importance of being suspicious of links, downloads, and other interactions with unknown sources, effective security awareness training will make it harder for hackers to trick your employees into divulging information.
Effective security awareness training should address the threat of physical security breaches. When malicious actors gain access to your company’s facilities, they can target your data directly where it lives, and can easily steal information that is vital to your company. Security awareness training should educate employees about how malicious actors commonly bypass physical security protections like key-card readers, how hardware related fixes like laptop locks can mitigate physical security threats, and how employee awareness can thwart physical security threats. Education should emphasize the importance of access controls to ensure that individuals understand that they can only access authorized physical locations within the organization, and they need to beware of any unauthorized personnel.
With companies increasingly relying on independent contractors and other “work at home” professionals that provide a remote service, a major security threat exists for those who work for your company from a remote location. Chiefly, you cannot assume that their networks are safe and secure. While you have some piece of mind regarding the existence of virus prevention programs, firewalls, and other security measures in place in your office, this may not be the case for remote employees. Effective security awareness training should provide a module on working securely from home in order to educate remote workers on the importance of securing their networks, locking documents, implementing Internet safety and engaging in safe work practices - even when employees work from outside of the office.
When traveling for work or spending time abroad with a work-related device in possession, data security may be one of the last things on your employees’ minds. In fact, traveling poses specific and dangerous risks to your data security. Wireless hot-spots in foreign countries may not be as secure as the ones your workers are accustomed to. The fact that your employees will appear foreign may make them a specific target to hackers and thieves hoping to prey off of perceived ignorance, and the general presence of increased unknowns in foreign situations can translate into your data being jeopardized. Sound security awareness training will instruct your employees on the specific dangers that traveling entails, and how to combat these dangers through smart networking access practices and extra device security vigilance.
While identity theft is often thought of as a personal security and financial issue, compromised identities can hurt your company as well. When hackers obtain access to one of your employee’s personally identifying information, they can potentially pose as the individual to access additional accounts. Security awareness training should inform your staff of some of the most common means of identity theft to include credit-card scanning devices, identity-specific phishing scams, and more. Additionally, security awareness training should teach your employees the importance of quickly reporting a compromised identity to company management so that access changes can be made, and important data can be protected.
With all of the information above explaining what effective security awareness training should include, you are close to prepared for making the decision about which program would be best for your company. With so many security programs providers out there, however, and many companies still facing major threats to their data, what can you do to be sure that the security program you choose won’t fail? Here are some of the biggest reasons why security awareness trainings do not succeed:
Security awareness training and security training are not the same thing though they are often treated very similarly. Security awareness training consists of conveying a company’s rules and expectations revolving around security practices, from expectations about the personal use of computers to guidelines for password strength and etiquette. In a security training, a company will express how they expect their employees to help keep data safe.
Security awareness training goes a step further, helping employees be aware of what security threats are, how they can be prevented, and how staff vigilance translates into safer security practices. Security awareness training aims to fundamentally disrupt the cycle of unintended ignorance. These programs will eliminate this lack of knowledge and lack of vigilance by creating an atmosphere where employees know what to look for and how to respond in different situations. The goal of security awareness training should be to equip employees with the knowledge and skills they need for positive change in behavior.
Security awareness training combats employee negligence by working to change a company’s mindset and push a company towards more secure practices. If your security awareness training doesn’t work to change employee attitudes and comprehensively address the way your company operates, it may be security training in disguise. This will not help your workforce recognize and mitigate threats to the same extent.
Your company probably has an internally mandated security awareness requirement with a yearly or bi-yearly session that all workers are required to attend. Chances are that no one is excited about this training or cares about it in the slightest. Users who are completing security awareness training just to “check a box” or meet company compliance standards rarely conduct trainings that have any impact on the overall company culture or improves the real security of the company.
Instead of treating security awareness training as an obligation, create the mindset that training is an opportunity to make your whole company more successful. This change in mindset starts with employers, who should be excited about security awareness and convey the importance of the topic to their staff. It can spread quickly to workers, too. When employees know that security awareness will help their company grow and succeed, which can provide new opportunities to them as team member and increase the prestige and status of their position, they will be more likely to buy into the program and see it as an opportunity rather than an obligation. Support and commitment from senior leadership and management is imperative to building a successful training program.
In a program, consider hosting a Security Awareness Day for your organization, creating a custom video from management and continuous learning interventions that emphasize the importance of security and each employee’s part within your organization.
New tactics, more targeted attacks, new regulations and new technology all require a program that is up-to-date and covers relevant topics and examples. In addition to relevant information, effective security awareness training revolves around a variety of materials and offers interactive components, multi-media dimensions, and other varieties of teaching styles to engage your employees and make sure that as much useful information as possible is garnered from training. If you are not staying up-to-date on recent threats, your training may not be doing its job. Security awareness newsletters, posters and communication materials/resources, such as short videos, are a great way to educate employees on timely and recent threats.
With security issues constantly changing, shouldn't your awareness training be continually updated as well? Companies that only have one training per year, or only focus on one kind of attack, face an uphill battle in providing their employees with relevant and well-rounded information. Instead of one training experience, consider continuous learning interventions that focus on a wide variety of threats. If this seems like it is too time-consuming for your company, think back to how time-consuming and expensive remediation will be if your security awareness training fails and a data breach occurs. With the right security awareness program provider, you can easily gain access to modules, courses, videos, newsletters, posters and email templates that can be delivered throughout the year for multiple touch-points with your employees.
Absence of Defined Goals and Objectives for Your Security Awareness Training Program
Security Awareness training that does not have or align with defined goals and objectives that can be evaluated, assessed and updated based on the progress made towards those goals frequently fail to deliver measureable results. Further, without defined objectives it is very unlikely that your organization can properly measure and track the progress of the training and improve the overall impact of security awareness training on an on-going basis. Security managers should implement a training plan that includes targeted goals that are achievable and that can be measured and updated when building a strong security awareness training program.
You can conduct all of the training in the world, have a perfectly tailored program based on the tenants above, and still see data breaches occur. How? In order for training to be successful, it has to be communicated to your employees how important their role is in protecting data. That is why some of the biggest governmental organizations maintain objectives like helping their employees “understand personal responsibility to protect information systems,” and why the right security awareness training is so important to your company. Changing corporate culture and stressing the importance of personal responsibility is an important aspect of a successful program.
Considering the requirements for “effective” security awareness training, is a security awareness program really worth the investment? Some critics say, “No,” and argue that security awareness training is a waste of time.
You, however, need to truly think about what is at stake. If you opt out and avoid providing security awareness training for your company, or go with a minimal plan to check off a compliance box, you put your company in greater danger of suffering a major data breach, which could cost you millions. Again, a recent study showed that companies without security training for their newly hired personnel reported average annual financial losses of $683,000 while those that have training for new hires reported significantly lower losses totaling $162,000. This is just considering training for new hires and indicates a definite ROI for your company.
Like any other investment, security awareness training will pay off differently for different companies. But, unlike other investments, effective security awareness training will benefit your entire employee base by helping change the way your staff views security practices, reacts to threats, and ultimately behaves in the workplace. There is no bandage that can compare to the preparation that security awareness training provides, no “quick fix” or easy way to change your employees’ behavior without investing into a well-planned security awareness program. The right security awareness program will make your company safer, decrease the likeliness of security breaches from employee behavior, and protect your company down the line.
So, How Does an Effective Security Awareness Training Program Look? We at Global Learning Systems have developed a comprehensive security awareness training suite of products and services and have designed a plan based on 25 years of experience working with global Fortune 100, Fortune 500, and small business customers alike, countless hours of research and program development, and the best information in the security field. We can offer your company a truly unique program that will drive employee awareness and ultimately change employee behavior, creating a more secure company culture.
Our program incorporates a continuous learning approach, graphically represented below, that incorporates: program strategy & planning; tools for on-going assessments and testing; communication materials like newsletters, videos and posters; a suite of scenario–based modules; a comprehensive library of in-depth and focused courses (HIPAA, PCI, general Security Awareness, Phishing Awareness, and more); as well as enterprise reporting and follow-up communication to provide your organization a truly tailored program to meet your training goals and objectives for the program that deliver measurable results.
Through the application of continuous, tailored interventions, we are able to meet your company’s needs in a flexible and long-term manner. The result is comprehensively modifying the behavior of your employees in the direction of safer practices.
Our approach begins with customization and localization: we can translate all of our security programs into the language your company needs, brand the learning environment (LMS), incorporate a policy acknowledgement and additional customization options as needed. Once our roll-out consultation has resulted in right program for you, we provide you with the content and the strategy required to roll-out a tailored, annual program.
If you just want to provide one course, we have that option, but we have an extensive product listing we can incorporate into your program, with additional modular training on specific security topics. You will also have the option to select posters, newsletters, email templates, and short videos to remind employees of your courses’ key points, to continually highlight the importance of a security-minded organizational culture. With GLS, organizations have the option to continually add supplementary courses throughout the year to tackle topics in more depth.
As a concrete example of what our trainings can look like, take a look at our anti-phishing course. This course works to battle phishing attacks, using multiple scenarios with gamification design elements to prepare users to take on one of the most common and damaging forms of attack against your company’s data security.
First, we provide instruction through three rounds of awareness training. Your content will be hosted online for 24/7 ease of delivery and online use. Then, we simulate social engineering style phishing attacks, by targeting personnel at all levels of your company (based on your authorization) with a unique variety of exploitations that include phishing, spear-phishing, instant messaging, and various Trojan exploitations. Then upon an individual falling victim to the simulated attack, we will reinforce learning with a module on phishing and short related videos to capture the moment of learning.
We will work with your organization to determine the appropriate frequency of simulated attacks, and can structure programs to keep your staff thinking about social engineering and phishing year-round. By providing our awareness training in such an interactive and innovative manner, you can be sure that your employees will be able to spot the tell-tale signs of attacks from miles away, and will modify their behavior to start avoiding situations that could lead to such attacks.
Contact us today to talk about the needs of your company and how we can meet them with our innovative, continuous learning approach that is sure to make your company safer. Invest today, and keep your company safe with our continuous and proven to be effective security awareness training approach.