Why and how to provide impactful cybersecurity training within your business
Following well-publicized ransomware infections and subsequent operations disruptions, such as have occurred with an essential American fuel distributor, a major meat-processing company and the city of Atlanta, and following heightened threats due to Russian hostilities in Ukraine, cybersecurity has assumed new levels of importance at most every organization. Subsequently, everyone from the Department of Homeland Security and its CISA division to the FBI regularly publish guidelines, recommendations and alerts, one constant of which is the importance of educating and training users on the importance of proper computer, network and cybersecurity practices.
Referred to often as security awareness training (SAT), organizations can adopt educational routines whereby users are properly alerted to the many and clever methods malicious actors use to penetrate networks, corrupt data, steal information and trigger disruptions. Such training is particularly important, as the devious ways cybercriminals work have become more sinister and nefarious and may prove different from methods users were previously taught to recognize.
With hackers now leveraging artificial intelligence (AI) and machine learning (ML) technologies to bolster their phishing (fraudulent emails that typically try tricking victims into clicking on a virus-laden attachment or revealing sensitive credentials), spear phishing (similar to phishing but the hacker attempts to impersonate a trusted contact), vishing (like phishing but hackers introduce a voice call in which a trusted contact is impersonated to further deceive the victim), smishing (similar to phishing but via a text message instead of an email) and other social engineering-powered attacks, organizations must ensure users remain current with the latest methods malicious actors are adopting. Considering a recent report revealing nearly half of all successful hacker attacks succeed due to hackers stealing the credentials required to breach network defenses, the sooner such training occurs the better. Although IT departments have been busy improving their own cyber defenses, deceiving users remains an effective method of penetrating organizations, corrupting information, compromising sensitive information and encrypting essential data and systems, leading to operational disruptions that can bring business to a halt.
Depending upon the industry in which an organization operates, companies may be required to provide and ensure employees complete security awareness training to remain compliant with corresponding regulations. Such situations arise when working within industries subject to Payment Card Industry (PCI)-, Health Insurance Portability and Accountability Act (HIPAA)-, Sarbanes-Oxley-, National Institute of Standards and Technology (NIST)- and International Organization for Standardization (ISO)-governed environments, to name a few examples.
Security Awareness Training Providers and Resources
A well-educated team helps organizations avoid cyber heists in which phishing efforts prove successful and cybercriminals gain access to networks and data, hold systems hostage, steal funds, introduce delays, interrupt operations and otherwise compromise business. Firms can choose from a variety of options to address cybersecurity training needs. For example, they can create their own education programs in-house, hire a consultant or tap the expertise of a security training provider, of which there are numerous choices. Here are but a dozen popular security awareness training providers:
- Arctic Wolf
- Inspired eLearning
Even those companies opting to go it alone will find plenty of assistance available online. Numerous resources are available.
CISA offers a variety of supplemental support materials, including Protect Your Workforce Campaign downloads. Cybersecurity guidance posters, brochures instructing users how to report suspicious cyber incidents, physical security tip sheets, workplace protection handouts and other resources are all available for free at its website.
The SANS Institute, meanwhile, provides a complete complimentary Security Awareness Training resource kit organizations can download to guide security awareness training. Designed to assist and guide a firm’s independent cybersecurity education campaign, the download⏤which includes preprepared Word documents, Excel spreadsheets and a PowerPoint presentation, among other resources⏤provides a ready-made program using proven materials that are appropriate for those new to security awareness as well as more experienced practitioners.
What security awareness training should consist of
Properly structured, security awareness training should consist of multiple components, not just one or a handful of educational sessions, no matter how thorough. Common elements should include planning guides, assessments, content (the actual training information), supporting materials (such as handouts and leave-behinds users can reference later once the freshness of a training session inevitably subsides), quizzes and tests and follow up surveys. Firms can deepen their cybersecurity training commitment by contracting with a provider to occasionally conduct tests in which fraudulent messages mimicking real-world phishing efforts are sent to users to gauge preparedness and provide opportunities to reinforce training lessons. Follow up messages and reminders, including in the form of posters, can also help maintain awareness long after webinars and online tutorials have ended.
Many security experts agree, as confirms one leading security training provider⏤KnowBe4⏤that effective training programs rely upon a mix of formal learning, informational training and contextual testing, backed by continual reinforcement. Of such initiatives, a firm’s actual culture, and the focus and purposeful importance placed upon adopting, observing and practicing proper security fundamentals, are factors that play outsized impact helping determine the training investment’s success. Toward that end, regularly and continually reminding users⏤such as can be done using email reminders, posters, alerts and bulletins and similar methods⏤almost always pays dividends supplementing quality training.
Simply creating and presenting or providing ready-made training materials and requiring users complete the material and take a quiz or test or two will not provide effective results, long term. Instead, training must be engaging, repeated and reinforced, including by senior staff and an organization’s culture. Security awareness training can also no longer be a case of “do as I say, not as I do.” With hackers regularly creating imposter websites, scouring LinkedIn profiles and targeting specific executives within organizations of all sizes as part of their ever-sophisticated social engineering, phishing and criminal activities, it’s more important than ever that everyone within an organization receive security awareness training and apply daily the principles and best practices gained from such efforts.
Still have questions or need assistance getting your own security awareness training initiative off the ground? Call a Louisville Geek expert at 502-897-7577 or email [email protected].