Not too long ago, most security breaches were caused by technical problems, such as hardware malfunctions or vulnerable applications. But not anymore - most breaches are now caused by unsuspecting employees clicking on a link, re-using passwords, and other bad practices.
Security-related ignorance amongst employees is one of the most common causes of data breaches.
That may sound harsh, but apparently a lot of people still don’t know that using the word “password” as a password is not okay!
While it's crucial to have the right technical cybersecurity solutions in place, that is no longer the only line of defense you need to put in place.
On top of strong firewalls, anti-virus software, multi-factor authentication, endpoint detection and response and other solutions, it’s vital that you build awareness and provide proper training through a security awareness program.
What is a Security Awareness Program?
The name pretty much says it all; it’s a formal program that’s meant to create awareness on security and train all members of a company on potential threats and how to avoid/combat them.
Security awareness programs operate differently across organizations, but the general gist of the program is always the same.
It’s all about building awareness on important information security measures and protocols in order to keep the organization (and each individual within it) safe from the growing number of cyber threats.
There can be many different goals for a program like this, but here are a few that every program should be aimed at accomplishing:
- Empowering users to take responsibility for protecting the company’s data
- Lowering the company’s susceptibility to common threats
- Enforcing policies and protocols to keep the company protected
What Should Be Included in a Security Awareness Program?
Since there are many pieces to the cybersecurity puzzle, there are a lot of different factors to a successful security awareness program.
Here are some of the key topics that should be covered in any employee security awareness training program:
In Microsoft's Security Intelligence report, they called phishing a “low-hanging fruit” method of malicious cyber attack. That’s because phishing requires very little effort on the attacker’s part, and a lot of people fall for it. The bad guys know that when they start phishing with malicious scam emails or texts, they have a very good chance of getting a few bites.
Phishing prevention is a big piece of the puzzle, and since more than 90% of data breach incidents start with phishing attacks, it’s actually a good idea to have a separate phishing prevention training altogether.
This is a new one!
Smishing is the term that is used to describe a social engineering technique that exploits its victims using SMS, or text messaging. Where phishing uses email as the point of entry for attack, smishing uses text messages.
Many people are aware of the dangers of phishing emails and tend to exercise caution. But most are NOT aware of this new threat that is presented in our cell phone's text messaging inbox.
You can read more about smishing here!
Malware is any software that has been intentionally designed to cause damage to a computer, server, client, or computer network. Malware is the larger umbrella for many different types of attacks, like viruses, ransomware, spyware, Trojan horses, and more.
It’s a good idea to use malware as a starting point in the program since it’s such a huge topic. Start by focusing on the tell-tale signs of a malware infection and how to identify suspicious activity. Then, you can go into the organization’s specific policies on how to handle the situation.
These days, it’s very rare to have just one device for work. Chances are you’re sending emails from your phone, drafting important documents on your laptop, and doing a little bit of everything from your tablet.
Allowing employees to move between devices is known as a Bring Your Own Device policy. Because there’s a higher risk of cyber attacks happening when work is done from multiple devices, BYOD security training is a vital part of any program.
Authentication & Passwords
A weak password is and always will be a culprit of flawed cybersecurity. The good news is that password training can help since employees are more likely to create strong passwords and change them frequently when they’ve been trained on how to do so.
But even a strong password isn’t always enough of a defense against an ambitious attacker. That’s why you also need to include multifactor authentication in the program to make sure that only verified users can access online applications and accounts.
How Often Should Security Awareness Training Happen?
Never assume that you can cross security awareness training off your company To-Do list as soon as it’s completed.
This should be an ongoing program, and even though it doesn’t have to happen weekly or monthly, you should at the very least provide quarterly training sessions for existing employees.
There are two other specific instances when training needs to happen.
The first is when a new employee joins the team so that the individual can learn right away how your organization handles security.
The second one is after a security-related incident.
There’s no point in passing blame or pointing fingers when there’s a breach.
Your time (and everyone else’s) will be much better spent going through a security refresher to cover how that incident could be prevented next time.
Who Should Get Security Training?
Everyone. It’s as simple as that.
Some people assume that high level figure heads don’t need to go through training, but these members of an organization need it just as much as anyone else.
CEOs, CFOs, and COOs have the most access to sensitive company information, so yes, they need to undergo the training program along with the marketing team, HR reps, and sales associates.
The Final Word on Security Awareness
Just remember, even though educating your employees on building security skills is a big part of staying secure, you should never rely on that alone.
It’s also up to you to implement healthy security practices and effective tools, including:
- Use multifactor authentication so that only verified users will have access
- Utilize an Intrusion Detection and Response (IDR) system to detect threats early on
- Consider deploying Endpoint Detection and Response (EDR) in order to protect all those endpoints that are no longer behind the company firewall (looking at you, remote workers)
- Perform regular vulnerability scans to close loopholes before attackers can find them
- Perform an IT risk assessment to shed light on your current security situation
Interested in learning more? Read our compreshensive guide on cybersecurity for small businesses!