(January 8, 2024) In a previous post, we offered nine security best practices your organization should follow daily. Many organizations aim for the best security while overlooking the basics that prevent most attacks. While cyberattacks are becoming more sophisticated, most use the same tried-and-true techniques year after year.
Our security basics checklist emphasized best practices that IT teams should implement at the organizational level. It’s important to remember, however, that individual users sit on the front lines of security. If an attack makes it past digital defenses, users play an important role in ensuring that the organization doesn’t become a victim.
That’s why security awareness training should be added to your security basics checklist. Although not a daily event, training programs should be administered regularly to provide users with the up-to-date skills they need to help combat threats.
Training Reduces Risk
Inadequate training can expose your organization to significant risks. Deploying a modern cybersecurity strategy does little good if employees use “123456” for their network password. And it only takes one user clicking on a malicious link in a phishing email to open the door to a malware attack.
Unfortunately, social engineering attacks such as phishing are increasingly successful. The 2022 Internet Crime Report from IC3 finds that organizations lost more than $2.7 billion in almost 22,000 business email compromise (BEC) attacks. Losses due to investment fraud attacks totaled more than $3 billion in 2022, a 127 percent increase over 2021. These losses are poised to increase as attackers leverage artificial intelligence to perpetrate more convincing scams.
Organizations need to ensure that training programs effectively address today’s threats. While many programs focus almost exclusively on phishing, training should cover a wide range of social engineering attacks as well as the user’s role in the organization’s overall security posture.
Make Sure It’s Effective
The first step toward implementing an effective security awareness training program is to get executive buy-in. This helps ensure that the program gets adequate funding and resources and that it’s positioned as a requirement for users at every level in the organization. If it’s pushed only by IT, legal, or compliance teams, it will become a box-checking exercise that users won’t take seriously.
Training should also be integrated into the organization’s security strategy and tied to specific business objectives. Measurable ROI metrics should be defined, and progress tracked. Establishing a learning development team, with direct involvement from senior leadership, will keep training programs aligned with the organization’s evolving needs.
Most importantly, security awareness training should have engaging content that is relevant to users’ needs and job roles. Users will simply tune out dull material. Training sessions should be short and offered frequently. Five- to 10-minute videos presented once or twice a month will be more effective than an annual hourlong presentation.
Measurement Is Key
The best training programs use a variety of formats to reach people who learn in different ways. In addition to on-demand videos, organizations should consider offering live training, lunch-and-learn sessions, and easy-to-read articles and newsletters. Video conferencing and collaboration platforms can be used to deliver training to remote offices and work-from-home users. Training should begin when a new employee is brought on board and continue regularly to help the user maintain skills and awareness.
Testing should be conducted to measure the effectiveness of the training. Quizzes should be moderately difficult and conducted sometime after the training to determine how well users are retaining the information. Some programs also feature simulated phishing attacks to pinpoint gaps in users’ ability to apply what they’ve learned.
While security awareness training should be part of every organization’s security strategy, there’s no one-size-fits-all approach. Mainstream can help you assess your users and identify gaps in their knowledge so you can fine-tune a program that best meets your organization’s needs, risks, and compliance requirements.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting, custom software development, and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
Jeff Pracht
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile