The Value of Security Awareness Training
February 23, 2022 by Kenyon Fraser, CRVPM, CMMC-AB RP
Security Awareness Training, a crash course in cybersecurity, has gone from footnote to front page in the training and development of end users. As cybersecurity grows in importance, it is vital to understand what goes into an effective Security Awareness Program so you can develop an educated and alert workforce.
Security Awareness vs. Security Training
It is useful to distinguish between security awareness programing and more formal security training. NIST’s special publication 800-50, :Building An Information Technology Security Awareness and Training Program," notes the key distinctions. Security awareness efforts are focused on providing information and building recognition of cybersecurity concerns. Training requires more active participation and the development of specific skills. Security awareness presentations are often included as part of new hire training and are colloquially referred to as cybersecurity training. However, it is important to recognize that awareness training and cybersecurity training have different goals. Security awareness is crucial for protecting users and systems, but it may not teach specific cybersecurity skills.
Build a Security Awareness Program
A successful security awareness program will be accessible and applicable to all users within an organization, regardless of technical expertise or role. Some roles will require additional training to account for increased responsibilities and IT access. Managers, IT staff, or anyone with elevated privileges will need specific cybersecurity training for that role. The lessons and policies conveyed in a security awareness program should be required for every user throughout the organization. The topics covered should be chosen because they apply to everyone. Think of security awareness as the foundation that more advanced training will be built upon. For example, foundational training addresses phishing and identifying fraudulent links. Advanced training might include examining a mail header.
That foundation has a lot of required content. Security awareness presentations should cover a combination of basic security concepts in addition to organizational policy. Baseline requirements include reviewing organizational password standards, multifactor authentication, and acceptable use policies. Information must be placed into a context that is meaningful to users. It is not enough to list out policies in a vacuum – users should always be told why policies exist. This means identifying common threats and the organization’s practices for protecting against cyberthreats.
Security awareness should also take a detailed look at common social engineering techniques. Understanding the human factor of cybersecurity is crucial to getting all users to understand their role in the digital ecosystem. Demonstrating the specific techniques used by bad actors reinforces the defensive role of each user. Showing how everyone is an active participant in cybersecurity, especially as related to phishing messages, makes the program more real-life. Giving users a more practical understanding of how threats appear is an effective supplement to reviewing defensive tactics.
Customize Security Awareness Program
These standard building blocks do not mean that security awareness is one-size-fits-all. Different organizations are subject to different threats which should be addressed in the security awareness program. Security awareness training should be customized to include previous incidents and known threats. Industry and business sector concerns should also be recognized and considered. Additionally, security awareness programs should address relevant and evolving security concerns. A presentation that was appropriate in 2018 will not be effective in 2022. When developing or choosing an out-of-the-box security awareness program, it is important to take these variables into consideration.
Care also needs to be given regarding the presentation’s tone. Presentations that are too slow or dense in content may be overwhelming. Attendees are unlikely to stay engaged through hours of policies being read verbatim. One common way to make these topics more exciting is to use fear tactics, but those are also ineffective as a training tool. While bad actors may be intimidating, scaring users may lead to falsely assuming everything is malicious. Successful security awareness programs will not create an environment of fear or discourage users from engaging with their work. After a security awareness presentation, users should leave feeling better equipped, i.e., more aware, to handle various threats than before the presentation.
The delivery mechanism of security awareness training is another aspect to consider. Different people have different styles of learning. Instructor-led sessions can be a great way to introduce users to complicated topics. Recorded videos offer less opportunity for interaction. However, they can be combined with discussion sessions after the presentation to ensure lessons are understood. There are also ways to supplement awareness efforts in between formal presentations. Email campaigns, posters, or even custom screen savers can be effective ways to reiterate messages and enable continuous learning.
Develop Your Cybersecurity Defenses With Security Awareness
Security awareness cannot be a one-time affair. Even if the core content – strong passwords, multifactor authentication, etc. – remains similar over time, the message needs to be repeated. It is natural to relax on training for security measures over time. It is better to acknowledge this tendency and plan for it than to assume a single awareness session will provide a high level of ongoing effectiveness. Recurring exposure to security awareness content is crucial for maintaining an appropriate level of vigilance.
Security awareness programming should be held at minimum, annually. This does not mean limiting security messages to just a single annual presentation. Smaller, less intensive techniques such as email notifications or group discussions can keep topics fresh and top-of-mind. Dedicating resources to continuous security awareness will also make it easier to address any new threats that may arise. Organizations with dedicated channels for sharing threat information will deliver vital news to end users before organizations without such channels.
Security awareness is a critical part of securing systems and users. Technological defenses will fail if end users are not adequately prepared to recognize potential threats. Recognizing the human component of security is crucial in building an effective security awareness program. Effective training translates into an educated and alert community.