Most of us know that Security Awareness Training is important to maintain organizational safety. But how sure are you that employees are truly taking preventative measures or recognizing and responding appropriately to security threats that they personally encounter? What’s more, are they equipped to deal with their specific compliance requirements? According to technology services provider Claranet, many companies lack confidence in their users’ security awareness: over 60% of organizations think that their general workforce needs to be better trained, and between 30 and 40% said the same of their software and/or IT teams. So, while we may all agree that security awareness training is necessary, making it effective may be a bit more difficult to achieve.
However, as the study highlights, this needs to change—and to gain real confidence in our employees’ preparedness, we need to go beyond one-size-fits-all training. While some security threats apply across the board, there are many nuances to security that relate more or less to specific departments. In order to turn the tide away from poor adoption and lackluster results and towards strong security programs, we need to understand the unique threats faced by certain roles in our organizations and align our training to them.
When it comes to specialized security training, one of the most obvious places to start is with IT. As the gatekeepers of your organization’s infrastructure and web presence, IT and development professionals are on the forefront of organizational protection and their skills must stay ahead of the cybercriminals. Awareness of the latest threats and hands-on practice responding to them is critical.
But role-based training doesn’t end there. As phishing becomes more prevalent and sophisticated, many threats are able to slyly bypass IT and pass straight through to un-witting end-users. And, those threats often target specific roles: it’s not uncommon for a phish or other social engineering scheme to be specialized to infiltrate a specific department or individual. Frequent targets are the holders of the purse strings, including purchasing and finance, as well as the executives who authorize financial transactions. As the owners of sensitive employee and organizational data, HR is also a common target. And outside of being a target, leadership plays a unique part in an organization’s security posture as role models and important champions for your security program.
Taking a role-based approach to your security awareness training can also reap benefits when it comes to adoption. Many training programs flag, or even fail, because users feel that the training doesn’t apply to them specifically, or is a waste of time. Even if you’re utilizing general, company-wide security awareness training courseware, augmenting it with specific messaging (e.g. an announcement email that explains why security awareness is so important to the finance department) and reinforcement activities (e.g. a quick quiz on specific finance-related security situations) provides critical context and gives users more of a sense of ownership over the training they’re being given. And tying the training to compliance—whether mandated externally or internally—will work to encourage a sense of urgency and enhanced attention to the material provided.
But perhaps the greatest benefit to this approach lies in the mindset it encourages. One-size-fits-all training might do a decent job of explaining key threats, but role-based training is unique in its ability to highlight how each role is uniquely responsible for preventing those threats from succeeding. As users go through specialized training, they learn the ways in which they specifically—and not, say, John Doe that works down the hall—maintain security and prevent attack. If your goal is to create an organizational culture where each user is deeply fluent in and passionate about their part in defending security, then role-based training is the way to get there.
As you decide which job roles to focus specialized training on, consider their relationship to the organization, the specific types of data they have access to and what compliance audits they are subject to. Role-based training serves the three-fold purpose of building recognition for the role each of us plays, educating users and ensuring that your company stays in compliance with regulatory requirements. While it may involve more work on the front end as you research, select, and implement the right training and craft unique messaging, it will provide countless returns in the long run—and your employees, in each and every role, will thank you for it.