84% of C-suites agree that employee negligence is one of the biggest information security risks, according to Shred-it’s 2018 State of the Industry report. Organizations can invest millions building levels of technology to secure a company, but it won’t prevent a well meaning person from clicking a malicious link or providing their password over the phone. Security Awareness Training teaches employees best practices so they reduce the risk of security incidents caused by employee negligence.
Why Security Awareness Training?
Security Awareness Training is a formal process for educating employees about information security. Secure Awareness Education is a part of a strong information security program, and this human centric approach is required for compliance with industry standards, government regulations, and third party risk requirements.
Security Awareness Training is important for all stakeholders of an organization. What are the benefits of cybersecurity awareness training for each stakeholder?
- The Company – Of course, the employee’s organization has a great deal to benefit from raising awareness levels. They are responsible for the fallout of employee negligence which can result in high costs across lost business, lost time, fines, and more.
- The Employee – The employee benefits from awareness training from a personal perspective too. The security risks that employees should look for to protect the organization, are also red flags in their personal life. For example, phishing happens in both corporate email and personal free email accounts. Another growing attack includes phone scams in which the hacker impersonates IT, police, or another trusted source to gain access to company or personal computers.
- Vendors/Customers – Third parties benefit from employee awareness training. In fact, it’s common to see large organizations require employee awareness training for someone to do business with them. The reason for this requirement is that a large business can investment heavily in security, and still have an incident if a small vendor is hacked. For example, the Target breach from 2013 started with network credentials stolen from an HVAC company. Targeted paid out $18 million in addition to all of the costs associated with managing the breach.
These requirements often come out in the form of third party risk assessments done by large organizations.
- Board of Directors – Lawsuits filed by shareholders directed at the Board of Directors of breached companies are increasing. The Board of Directors should be aware of company policy, and held to the same standard as everyone in the organization.
- The Customer – The customer benefits from employee awareness training by protecting their information. Most thing of an information security breach as a big headline in the news, but they can be much smaller incidents that may never be identified. For example, if a pizza shop takes a credit card over the phone by writing it on a piece of paper, and leaves the paper in tact, that will put a customer at serious risk of a breach. Similar violations can occur with HIPAA if an office leaves a sign-in sheet for everyone to read.
Security awareness training reduces the risk for all of these stakeholders, and improves the service a business provides. Read more on the employees role in risk management.
Here’s a short example of awareness training content covering Phishing and Whaling.
Who Needs Security Awareness Training?
Security awareness training is beneficial for organizations of all sizes. Any organization that has customer or employee information is obligated to protect it. That information can include names, email addresses, passwords (never store passwords), social security numbers, customer lists, health information, and the list goes on. Of course the more sensitive in nature the information, the more important that a security awareness program be in place.
Industries that commonly hold sensitive information includes financial services, healthcare, professional services, software, manufacturing and even more industries. Through government regulations and third party assessments this requirement has grown to construction, government, small business, retail. Even businesses that seemingly do not have high risk information are investing in awareness training from regional lawn care services, to hvac and farming, to flooring companies.
Third Party Risk Assessments require companies doing business with the assessor to provide information security awareness training. Anyone doing business with these organizations must certify that they have an annual employee awareness program. Typical industries for third party risk assessments include the following:
- Banking
- Manufacturing
- Healthcare
- Fortune 500
Industry Standards often suggest/require businesses to train their employees on information security. Well known standards include the following:
- Business Insurance
- HIPAA
- PCI
- Financial Services
- Sarbanes-Oxley
- SEC
- Etc
Increasing state and federal requirements for employee awareness training include organizations dealing with the following:
- GDPR (EU)
- NEW York
- Texas
- Massachusetts
- Australia
- UK
- And more
Organizations of all sizes and all industries should invest in information security education.
What is Security Awareness Training?
Security Awareness Training is a formal policy for educating employees about information security. Security awareness training should be delivered a minimum of once per year. Most experts recommend building a culture of cybersecurity through recurring training – preverably with a structured mix of delivery methods that include online trainng, in person training, discussions in team meetings, email reminders of important topics, posters and screensavers around the office, etc. In addition to training, organizations should simulate phishing attacks at least quarterly. Simulating phishing attacks puts employees to the test, and raises awareness of the risk. Sign up for a free trial and run simulated phishing attacks on employees.
Security awareness training should cover a range of topics. While phishing is a hot item today, training should go beyond phishing to include physical security, hardware security, and digital security. Key topics include (but not limited to):
- Physical Security
- Piggybacking/Tailgating
- Visitor Management
- Storage Devices
- Mobile Devices
- Passwords
- Social Media
- Suspicious Activity
- Encrypted Connections
- Safe Web Browsing
- Social Engineering
- Phishing
- Pretexting
- Quid Pro Quo
- Installing Software
- Distributing Information
- Wifi Access
- Working with IT Team
- Common Red Flags
How to Implement an Employee Awareness Training
Employee awareness training can be free – here’s a free Guide to Having a Cybersecurity Conversation with Employees. Having this conversation with employees puts most small businesses ahead of their competition. However, an organization may need to prove all employees have completed awareness training for the compliance and regulation requirements mentioned earlier, or to satisfy internal requirements from their leadership and IT team. If that’s the case, companies should invest in a platform that allows the organization to deploy awareness training, simulate phishing attacks, track employee progress, and certify training was completed.
Wuvavi provides small and medium sized businesses with an enterprise-grade awareness training solution. The platform can be purchased online and easily deployed in under 3 minutes. Sign up for a Free Trial.
Bonus Content: Employees have to be able to Identify Phishing Emails
Here are 6 examples with pictures of common phishing emails and how to identify them. This slideshare can be easily shared with colleagues to show how to identify phishing emails.
https://www.slideshare.net/JonSantavy/phishing-email-examples-and-how-to-identify-them-106195859