Proactive Security Awareness Trainings Matter
Awareness training, after an incident, is about as valuable as an oven mitt after burning your hand taking something out of the oven. It's important to proactively expose your teams to what threats look like and what the cost of a successful breach would be to your organization. Why?
Security awareness training programs are important because attacks are subtle; the goal of most attackers is to catch your team simply not paying enough attention. So how do you build a security awareness program in 2019 to keep yourself from showing up on this list? Here are 8 areas to ensure you include in your security awareness training program.
1) Privacy and Compliance Training
From HIPAA to PCI, it is vital that everyone in your organization understands what the expectations and requirements are in the security framework you adopt and the industry you operate in. Costly vulnerabilities often arise from the wrong person having to great of access or leaving documents around, not sophisticated hacks.
Despite the entire organization attending compliance trainings, more often it is the case that only a small percentage of employees know the extent of expectations associated with compliance. The rest are just signing their consent because they have to. It is important to make compliance a part of day to day life so that your teams are doing the right thing. There isn't a HIPAA mulligan for carelessness. Operating in an industry legislated by HIPAA means failure to meet requirements and suffering a breach could literally put you out of business.
For those in your organization wondering why someone would steal personal health information, highlight what else is in a person's medical records and why medical data is being sold for more on the dark web than financial information.
2) Phishing Awareness Training
Phishing is one of the leading causes of data breaches, ransomware and malware affecting organizations. Phishing isn't limited to email; it can also occur via phone and text with attackers aiming to lure someone from your team into divulging valuable information. Sometimes these attempts are easily spotted, other times things can get trickier (like when an email spoofing is at play).
Organizations should prioritize awareness of phishing attempts, even sending out tests to get a clear indication of your team's actions. As outlined in a recent Dashlane study, the average cost of a successful phishing attack for mid-sized companies is $1.6MM.
Security awareness programs should prioritize phishing, since it take one employee who isn't paying their full attention to expose the company to massive risk.
3) Password Best Practices
Passwords today are like floppy disks ten years ago. Antiquated but pervasive. With today's technology around AI, biometrics, multifactor authentication (MFA) — passwords shouldn't be used any more. But until they are completely gone from our lives, remember the following:
Using an easy to remember (and hack) password is an obvious no-no. Same with keeping login information on a post-it note; yet organizations are faced with the challenge that employees continue to prioritize recall and ease over security.
Even if you do get through to your team around password best practices, it's not just about making passwords more difficult; it is important for your team to understand why recycling personal passwords is a terrible idea. When team members recycle personal passwords, a successful hack can stretch from personal email and bank accounts to accessing critical company data.
Training your teams on the value (and ease) of using a secure password services like Dashlane or Keepass or LastPass can drastically improve your security posture. These tools also make security much easier, which should be a welcome feature for your teams. No one likes extra effort for the same outcome.
And most importantly, use MFA whenever possible.
Videos like the one below are funny, memorable and, more importantly, get the point across.
4) Data security
With more data and resources stored in the cloud and organizations becoming increasingly distributed, vulnerabilities arise with the ease of accessing and sharing information. It is important for your teams to treat access to data seriously. You wouldn't leave personal information at the printer, so why would you share it in a format that can be forwarded or saved without your knowing.
Your security awareness training program should prioritize teaching your team the importance of keeping data where it belongs and not where it doesn't. That means being mindful when saving critical information to a local machine or device as well as being careful with how you share information.
Typically the result of a phishing attack, employees often don't think much of ransomware because unlock password breaches and requests for money, it has never happened to them.
That isn't because it is a rare occurrence; it's simply because ransomware attacks prioritize businesses because the payoffs are much larger. In fact, more than 12% of attacks on small to midsize businesses are ransomware attacks. That means it is more a matter of when than if and it is important for your employees to understand what an attack looks like and what to do during your security awareness training program.
7) Office hygiene
Access to physical information can be just as detrimental as digital. If your trash bins are regularly filled with intact papers or printers are littered with piles of reports yet to be fetched, your organization is exposed to risk. Your security awareness program should ensure your teams understand why there are key fobs to get in the door and why shredders live next to every printer.
It isn't just the cost of replacing the hardware should your business be burgled; there is an exponentially greater cost to your businesses upstanding and reputation if the thieves are able to access critical data sources or information on the machines because the proper controls are missing.
Better yet, embrace cloud and get rid of all papers...
Bonus Security Awareness Training Topic
GDPR's data privacy laws extend well beyond the geographical walls of Europe. Certainly if you expect to do business in the EU, you must be familiar with the different rights awarded to users when it comes to their data. But even if you don't operate in Europe, the data privacy tide is rising for all nations.
What is defined as personal information in GDPR is anything that can be used to identify a user. A name? That's easy. But if you can you multiple otherwise anonymous data points to triangulate to an individual, all of that data is also considered personal information. That means the scope just broadened drastically.
Your teams need to be familiar with what data they have and what the right to privacy means for the users.
The Most Important Thing: Make the Training Stick
Security awareness training programs are time intensive and have a cost, both in implementation and the cost of getting it wrong. So make sure the information sticks by making the program engaging and fun...otherwise you are vulnerable and out thousands. It's more important for your team to recall what to do when facing a choice that may expose your organization, than making the wrong choice but the training was serious(ly boring).
The good news is engaging (funny) and useful security awareness training resources exist. Free options like this collection of 9 Cyber Security Awareness training videos abound if you are willing to dig around yourself.
Don't have the time, energy or willpower to create your own ? The computer-based security awareness training industry is expected to grow to more than $1.1B in 2020 according to a 2017 Gartner Research study. Services like Mimecast Awareness Training are funny, professionally produced and centralized with videos and assessments covering various topics. It will also scratch the compliance itch needed.
Security awareness training is the start...so how do you measure the impact?