Cybersecurity in today’s world is much more than just enabling your firewall or downloading the latest malware patch. The amount (and complexity) of systems, software, and technologies that companies of all stripes now use makes it imperative that all employees, top-to-bottom, are aware of the cybersecurity risks of all their day-to-day activities.
Depending on what industry you’re in, cybersecurity awareness training may or may not be a compliance or regulatory issue. Standards like PCI-DSS, NIST 800-171, and other often mandate that you have some form of ongoing cybersecurity awareness training program in place to prevent the loss, compromise, or alteration of sensitive data and/or critical systems. This includes cyber threat monitoring of threats all shapes and sizes, from phishing attacks on unsuspecting employees to outright theft of password and login credentials.
Needless to say, having a cybersecurity awareness training program will help your employees become more cognizant of security risks and threats and act in a more cautious and responsible manner on the job. They’ll know tips, tricks, and best practices to detect threats and have a concrete plan of action in the event of a cyber attack or breach.
But are your company’s personnel fully protecting the organization against malware, phishing, and other lurking cyber threats? Keep reading to learn more about what specifically cybersecurity awareness training is, and how you can implement one to bolster your digital defenses.
1. What Hackers are Looking For
Depending on what type of business or organization you’re in, hackers and cybercriminals will have varying goals or targets that all employees will need to be made aware of during any comprehensive cybersecurity awareness training. Hackers and malicious actors are constantly targeting things like personally identifiable information (PII), protected health information (PHI), or controlled unclassified information (CUI).
The purposes and reasons may vary, but often it’s for the commission of health insurance fraud, identity theft, and other financial crimes. Employee, contractors, upper management, interns, or any number of personnel can become targets because they have access to what the cybercriminals are looking for: PII, PHI, financial, personnel, grant, research, patient medical information, or any other sensitive information that could potentially be valuable on the black market.
When targeting employees within a company or organization, hackers usually resort to one of the following techniques:
- Unattended Devices – Workstations that haven’t been logged out or mobile devices left out in the open are just two examples of situations that cybersecurity awareness training is designed to prevent. Unattended devices are often low hanging fruit for cybercriminals, and personnel in your entire company need to be trained on how to properly handle devices in public, private, and work settings.
- Online Information – Hackers will often identify the social media and online profiles of their targets, in an attempt to deduce things like login and password credentials. They may even be able to figure out phone numbers and home addresses for future scamming efforts. Cybersecurity awareness training should help employees keep their social and online profiles safe, and free of sensitive information that might be used by hackers.
- Email & Phone Scams – One of the oldest tricks in the book, email “phishing” scams, and fraudulent telephone calls are still more effective than most of us would like to think. Employees need to be trained on how to identify what looks like a fake email, and how to handle it so that the hacker doesn’t gain access to any sensitive data or critical systems.
- Compromised Passwords – Weak passwords that can easily be hacked, or that have already been and are available for purchase on the black market, are another key vulnerability that hackers are always on the lookout for. That’s why during your cybersecurity awareness training, you’ll want to focus on password best practices like password strength, setting automatic logouts after a certain period of time, and changing to a new password on a regular basis.
You’ll want to work with your cybersecurity training partner to determine what hackers might be specifically targeting within your organization, and formulate a training plan that addresses those needs with your personnel. You’ll then be able to tailor a cybersecurity awareness training plan that emphasizes the most critical potential entry points to your employees and staff.
2. Why Awareness Training is a Necessity
Aside from preventing fraud, criminal activity, and critical data loss, cybersecurity awareness training has become necessary for several reasons that you may not have thought of. While the right systems and technologies can help prevent cybercrime and security breaches, oftentimes your physical employees are your greatest vulnerability. In general, here are the three main reasons why cybersecurity awareness training is a necessity for the majority of organizations:
1. Regulatory Requirements – If your company falls under any regulatory requirements, you’ll need to find out what’s needed from an IT security training standpoint. If your company falls under PCI-DSS or HIPAA for example, you will need some element of security awareness training. Most regulations that require security awareness training are there because whether it’s the Department of Defense or financial regulators, they recognize that human beings are often the weakest link.
2. The Vanishing Perimeter – Thanks to Bring Your Own Devices (BYOD) policies, the cybersecurity perimeter now extends well beyond the office or physical servers. The inherent vulnerability the human element entails is further compounded by companies, in an effort to reduce costs, allowing employees to bring their own computing devices to work (BYOD). BYOD, along with the Internet of Things (IoT), is responsible for the “Vanishing Perimeter,” which refers to your network being less defensible because people in your company are using devices and connections that are not under your physical security controls. The emergence of the vanishing perimeter places an even greater emphasis on proper cyber hygiene, which can be taught by a good security training program.
3. Constantly Evolving Threats – Most importantly, your organization has to stay on top of the latest cyber threats out there that look to exploit the human element. This includes new threats like social engineering attacks and cryptocurrency-based ransomware. Hackers are constantly trying to stay ahead of the curve as it relates to the most common cyber defenses, so by conducting regular cybersecurity awareness training, you’ll be able to consistently update your employees on the new threats, and what should be done to guard against them.
Awareness training goes far beyond simply bringing your employees up to speed on how to protect sensitive data. Regulatory requirements, the Vanishing Perimeter, and the constant evolution of threats make regular, updated awareness training a necessity for risk management for any business or company that deals with sensitive information.
3. Elements of Awareness Training
Now that we know what hackers are looking for, and why cybersecurity awareness training is essential, let’s take a look at the specific elements that you’ll likely want to include in your program. While these are some of the most common elements, make sure to work with your cyber security and/or compliance partner to create a plan that suits your specific security and regulatory needs.
- C-Suite Support – In order for your awareness training program to be a success, you’ll need to obtain the support and buy-in from the very top levels of your organization. Having adequate leadership support helps not only with resource allocation for security programs, but also assists with two other elements of a strong awareness program, which are the creation of a security culture and collaboration with other departments.
- Cross Department Partnerships – Your awareness program will likely be developed by the IT department (or perhaps Risk or Compliance). But the implementation of training requires the partnership of other departments like HR and safety. Cross-departmental partners are capable of helping with various key needs, such as training delivery (in the case of live, in-person sessions) and dissemination of critical training documentation.
- Training Tool Diversity – For your awareness training to actually be successful and “sink in” with your employees, you’ll want to employ a variety of learning tools, technologies, and platforms to get your point across. Avoid the “death by PowerPoint” training, and use a mix of videos, self-guiding learnings, and supplemental reading materials. You may even consider the use of Gamification, to keep the process fun, engaging, and goal-oriented.
- Consistency & Metrics – Unfortunately, many employees may fall victim to the “in one ear, out the other,” syndrome when it comes to cybersecurity awareness training. That’s why you’ll need to institute some form of metrics that you’ll consistently monitor and follow-up on, to ensure employees stick with the practices you’ve trained them in. This could take the form of monthly emails from the IT team with refreshers on good cyber hygiene, semi-annual online training, or annual, “all hands on deck” company-wide sessions.
- Creating a Security Culture – Beyond specific measures that you require employees take (ie changing passwords, identifying phishing emails), it’s even more important to emphasize on creating an overall culture of cybersecurity within your organization. A strong security culture begins at the top and also fosters the belief that cybersecurity is everyone’s concern (and responsibility). When your culture dictates that security belongs to everybody, the IT department no longer will no longer be fighting a solo (often uphill) battle.
So, while these are the broader elements that your cybersecurity awareness training should encompass, let’s take a look at the specific topics that you’ll likely want to cover.
4. Awareness Training Topics
The topics you cover in your awareness program need to focus not just on the nature of the threats that various individuals will likely face, but on changing their behaviors over time that will result in better security organization-wide. Here are some of the topics that you and your cybersecurity training partner will likely cover:
- Social Engineering – As we mentioned, many successful cyber attacks and/or data breaches now begin with some kind of social engineering efforts. This could range anywhere from entry-level employees and interns all the way up to executive leadership. You’ll want to cover what social information is most valuable to hackers, and optimizing employee online presence to guard against malicious actors.
- Phishing – Commonly responsible for common incidents like business email compromise, password theft, and critical systems disruption. It’s imperative that your awareness discuss phishing on a regular basis, and you may even conduct regular penetration testing with your cybersecurity partner to simulate phishing attacks and determine whether or not your employees are handling those emails appropriately.
- Mobile Security – The BYOD culture has made mobile security a primary concern for many organizations, and lax handling of devices can have severe consequences. There are also security precautions that should be taken when employees use mobile devices to log on to WiFi networks outside of work (ie at home, at Starbucks). Your training program should have an emphasis on mobile, how to prevent leaving devices unattended, and the security criteria for WiFi networks they use outside of the office.
- Physical Security – What often goes overlooked in awareness training (and cybersecurity in general), is the need for physical security measures. Whether it’s a login password written on a piece of paper, or a file with confidential financial data about a customer, employees should be trained on the digital consequences of lax physical security. Locking file cabinets, shredding documents, and other physical measures should be another topic of emphasis in your awareness training.
By now you should be well aware of the threats your organization will most likely face from a cybersecurity standpoint, and how those are most likely to impact your employees. The BYOD culture has made mobile a primary target of hackers, along with social engineering and phishing attacks. When creating a cybersecurity awareness training plan with your compliance partner, you’ll want to make sure that you have executive buy-in from the C-Suite on down, and that multiple departments have your back in ensuring the long-term success and results of the cybersecurity solutions program.
You’ll want to not just implement rules and regulations, but create an overall culture of security with your cybersecurity awareness training program to instill a good attitude and reinforce good habits with your employees. And finally, don’t forget to make your training fun, interesting, and relatable. Training is often viewed as “pulling teeth,” so include different learning tools and formats, and include examples and analogies that people can relate to.