If you’re tasked with securing your organization, your employees are usually one of the first priorities. Malicious actors know that employees are often an easy way to break into a company and many of the most common types of attacks target employees. These can include:
Many of these attacks have surged dramatically since the pandemic. The Anti-Phishing Working Group (APWG) reported that June 2021 saw over 200K phishing attacks, the third-worst month since they began tracking, carrying a trend of a record number of attacks in the first half of 2021.
Ransomware is also on the rise in a major way, with the banking industry seeing a 1300%+ increase in ransomware attacks in 2021.
While there are risk mitigation tools and processes that can prevent and reduce the risk of attacks, employing a security awareness training (SAT) program can be an extremely effective way to ensure your employees aren’t a risk vector due to their lack of knowledge. However there are a number of pitfalls you should avoid to ensure the program is as effective as possible.
Here’s a list to keep in mind.
Many security awareness or cyber awareness training programs are conducted either once a year or done during onboarding. However, this runs into a number of issues.
If you’re using the same SAT program you used three years ago or even farther than that, you’re probably using outdated information and may not even be addressing common or critical risks your employee is likely to face.
Your SAT provider should be updating their program constantly and you need to validate that the security training is updated and offering up-to-date solutions to potential threats or vulnerabilities.
During the onboarding process, employees aren’t thinking “how can I keep the company safe?”, it’s “how can I do my job?” Security and cyber awareness training just isn’t a priority for a new employee — depending on how inconvenient it is, the training may just go in one ear and out the other, largely erasing any security benefits the SAT program is designed to provide.
Security awareness training should be an ongoing effort as long as it’s reasonable. Realistically, you don’t want to take up all your employees’ time training them on how to be secure. But having employees pass a test or a one-time training program is too point in time and doesn’t apply any real-world scenarios.
Many SAT program providers also provide simulations or tests in the form of phishing or social engineering tests. This will help you see whether your employees in key departments know what to do in the face of a potential spam, phishing, or BEC email attack.
Not only is it important to know that they won’t mindlessly click on or download any attachment. They should also be alerting you and flagging the email. Real-world tests and simulations allow you to spot employees or departments who may not be prepared. This isn’t an opportunity to shame or publicly denounce the individual or department, it’s just a way to prioritize who needs additional training and follow-ups.
Not all employees carry the same risk and your security training should reflect that. Some key employees include:
As you build out your security awareness training programs, you should consider these different types of risk and priorities. A starting point could be:
Having a strong and effective Security Awareness Training program is a process and will take some time. There are some fundamental and basic steps to take and you should look for opportunities to further build out the program in order to truly educate your employees. Here’s a sample timeline for having a strong SAT program.
Empowering employees with knowledge to spot and raise the alarm in case of an attack is important but your responsibility doesn’t end there.
Ensuring you have foundational prevention, detection, and response capabilities (via tools, vendors, partners, etc) is a part of a strong overall security posture. In case of a compromise, these kinds of tools, coupled with knowledgeable employees will help you recover faster while identifying what went wrong so it doesn’t happen again.
Be sure to disprove these cyber security myths in your SAT training.
Josue Ledesma is a writer, filmmaker, and content marketer living in New York City. He covers cyber security, tech and finance, consumer privacy, and B2B digital marketing.View all posts
Don’t miss out on exclusive content and exciting announcements!