An employee finds a thumb drive on the counter in the break room. The drive is labeled “Q4 Salary Report.” He quickly plugs it into his laptop and copies its contents, curious to see what information it holds. He then puts the drive back where he found it.
Someone in your company’s shipping department receives an email that looks exactly like other emails she received from UPS right down to the package tracking link. Distracted and in a rush, she clicks on the link.
Your accounting department receives an angry email that appears to be from a client. The client is complaining about a bill they received and attaches a document showing that this bill was paid. The accounting associate who receives the email opens the attachment.
People, every one of us, are soft targets in the security landscape. Nothing is going to eliminate that fact. We’re all human and fallible. But there are ways for an organization to help its members become less susceptible to the kinds of attacks mentioned above and, along the way, to save money, improve efficiency and avoid the worst security breach nightmares.
One of those opportunities is Security Awareness Training, or “SAT.” And while this type of training has been in use for decades, a new kind of SAT that combines online training with live simulations and real-time measurements has proven to be very effective in reducing the human weaknesses in our organizations.
What is Security Awareness Training?
Security Awareness Training is any program designed to teach people to recognize and avoid security lapses and exploits. This kind of training can take many forms from online classes to in-person seminars to one-on-one coaching.
The security issues that SAT addresses can also be wide-ranging, from educating people about real world risks, like how criminals will try to ‘tailgate’ authorized personnel through a secure entrance, to the latest email and social media phishing methods.
The goal of an SAT is to educate your team and to increase each person’s awareness of security threats and methods. A good SAT will make people less likely to fall for common, identifiable attacks and will make any organization more secure.
What are the Benefits of Security Awareness Training?
By far the biggest benefit of having an effective Security Awareness Training program is the improvement in security across your organization. Depending on the size of an organization and the type of information it handles, preventing any number of exploits each year could save the company tens of thousands of dollars or more in lost productivity, lost business and legal fees.
Security Awareness Training can also reduce your insurance premiums. Commercial liability and cyber insurance policies will cost less when an active and credible security awareness training program is in place. In the case of cyber insurance, you may even be required to have an SAT in place to qualify for a plan.
A third benefit is compliance. Having an ongoing security awareness training program in place will help your organization stay compliant with standards such as FISMA, PCI, HIPAA and Sarbanes Oxley.
One final benefit is employee satisfaction. It’s a more difficult benefit to measure but there is some evidence that an educated and security-savvy team performs better and has more confidence when fulfilling its duties.
What Should you Expect from an Online Security Awareness Training Program?
The exploits and methods used by hackers and thieves are constantly changing. The first thing you should expect from your SAT provider is timeliness. You won’t benefit from training resources that are not updated frequently. Pay close attention to when a provider’s training courses and materials were last updated. Also, read their news and blog feeds to see how often they are posting about recent developments.
Automated live testing can be an invaluable feature in today’s SAT programs. This type of service will allow you to send simulated email attacks to your user groups. Employees will receive authentic-looking ‘threat’ emails that and entice them to take some action that would qualify as a security breach. The SAT then records which users fell for the exploit and generates a report for the SAT administrators. The program can then follow up with those users, offering additional training and resources to improve their security awareness.
Your SAT should also provide engaging and interesting training resources. These can come in many forms but are most often going to be well-produced video seminars, slideshows with audio instruction and interactive online learning programs. A training provider that only provides written material and no way to interact with users (i.e. periodic quizzes or dialog boxes) is not worth your investment.
Lastly, you will want a program that provides detailed and timely reports. The best programs can tell you who has been engaging with the training materials and how each user has performed when receiving the test emails. Ideally the reports will show you who opened a ‘threat’ email and who clicked the link or opened an attachment.
How to Get Started with Security Awareness Training
At Tenrec we work with a company called KnowBe4 both for our own security awareness needs and when setting up our clients with an SAT program. What we’ll describe here is specific to their offering but you’ll likely find a similar path with other providers. We encourage you to look at KnowBe4 when evaluating SAT offerings.
Gettings started with KnowBe4 is as simple as:
- Identify who in your organization will administer the training program. This person will determine what training content to use and how the program will be rolled out to your users.
- Contact KnowBe4 (or us at info@tenrec.com) to schedule a demo of their training offerings.
- Determine the number of people in your organization. Pricing is based on the number of participants.
- Start small with a simple phishing test to determine the baseline of your users’ knowledge and your organization’s risk level.
- Mold your training program and materials to fit your needs.
Setup your SAT in 2018
Looking at the proliferation of internet-based threats or attacks in 2017, we can safely conclude that there will be even more in 2018. Instituting a security awareness training program is not the only measure you can or should take to protect your organization, but it is an important step in that process. ‘Human factor’ exploits are some of the most common threats and they are very effective. Educating your personnel on how to recognize and respond to them is a critical defensive tactic.
If you have any questions or comments regarding this article or setting up an SAT, please email us at info@tenrec.com.