In-depth

Our 5-minute guide to security awareness training

How security awareness training can build resilience in your business and reduce the likelihood of a successful cyber attack

Business classroom with a woman talking about cyber security, blue padlock image on whiteboard

The speed at which the security landscape is evolving can make it challenging to keep up to date with the latest threats for those on the front line of a business' cyber defences. It is even more difficult for employees who aren't involved in cyber security to know what to look out for when it comes to ransomware, phishing and data breaches.

The four major cyber security concerns expressed by IT professionals in a recent survey are a breach of confidential data, with 68% highlighting it as a major concern, followed by phishing attacks (68%), CEO fraud attacks (68%) and ransomware attacks (62%). 

All of these methods of attack can involve exploiting employees at a company, and therefore training is one way to reduce the risk of staff accidentally opening a malicious email attachment, or falling prey to a social engineering attempt.

What is security awareness training?

As the name suggests, security awareness training is educating staff about what potential cyber threats look like, so that they are able to avoid attacks. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

It doesn't guarantee that an employee will never make a mistake, but by raising awareness of common and emerging ways that hackers can try and get information, it keeps cyber security at the forefront of their minds.

Security awareness training should focus on three primary strands: firstly, how IT and devices should be used in the business; secondly, what security threats look like; and thirdly, how to respond both to suspicious activity, and an actual cyber attack.

Most organisations should have corporate policies about how to use devices, whether those are business-issued or personal. Shadow IT - or unauthorised business devices and apps - is a security issue that can leave businesses vulnerable, so it is important to set out and regularly reinforce expectations for what devices staff can use, and any limitations on that, particularly when they're connected to a corporate network.

Keeping employees up-to-date with what security threats look like is another important aspect of security awareness training. This can be everything from the basics of what to look out for with a phishing email, to trends right at the cutting edge of the cyber security landscape. 

Finally, it is crucial not to leave out what to do in the event of receiving a suspicious email, such as reporting procedures and who to turn to, as well as what to do in the event of a cyber attack. This can also be a good place to highlight the organisation's disaster recovery plan, to improve how the business will respond and ensure all employees are on board.

Pros and cons of security awareness training

With 56% of security professionals saying that employees are the number one cause of data breaches, there are numerous benefits to improving staff awareness of cyber threats.

Advertisement - Article continues below

Frequent security awareness training will help bake cyber security into an organisation's culture. Collective awareness is a powerful tool, and is particularly important for businesses with a high staff turnover.

If staff are being vigilant about the emails they receive, what passwords they set, and how they share information internally and externally, the risk of a silly mistake having devastating consequences for the business is greatly reduced.

One clear benefit of having regular training is increased compliance. Should a data breach happen, showing that you had adequate training in place and that it was enforced will be a key part of determining how much fault lies with the business.

However, there is always a risk that, as with too-frequent fire alarms, too much of an emphasis on security awareness training can make employees blas about potential threats. 

Advertisement
Advertisement - Article continues below

Some forms of security awareness training can also be quite costly, especially hands-on and classroom-based training, which is often more effective than an online course or internal briefings. But the costs of implementing security awareness training should be balanced against the long-term financial and reputational cost of a successful cyber attack. 

Security awareness training will also not help if an employee is intent on acting maliciously. It does, however, mean that they can't plead ignorance about policies and procedures if these are regularly highlighted in training.

How to implement security awareness training

A large part of security awareness training is highlighting bad habits that staff may be getting into, and raising awareness of the consequences. There are four main ways that security awareness training can be implemented to improve some of these simple vulnerabilities:

A classroom-style approach, where employees gather in an external or internal room for a dedicated training session. This can be delivered by a member of the IT or security team, or an external training company can be hired.

Related Resource

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now

An online course, which can be delivered to both new and existing employees on a regular basis. Online courses or training videos are often used for compliance training, fire safety and more, and can easily be used for security awareness as well. Although there is no guarantee of how engaged an employee is when doing online courses, they can be completed by new starters almost straight away, and quizzes can be used at the end to test understanding.

Internal tests are a method growing in popularity, where companies send simulated phishing attacks to their own employees. Security staff can then determine who falls prey to a phishing attack, and use that for further training if necessary. Bristol City Council recently sent a wave of spoof phishing attacks to their own colleagues, sending those who clicked on the link to a targeted training site.

Frequent reminders like posters which can be displayed prominently in an office alongside health and safety notices, or specific company emails, both of which can be used to cover subjects like what a suspicious email looks like, how to verify links, and the importance of a secure password.

The key with any form of awareness training is to keep it frequent. At the moment, just 11% of organisations continuously train employees on how to spot cyber attacks, according to global research from Vanson Bourne. 52% perform training just quarterly, or once a year.

Advertisement - Article continues below

But annual training means that a new member of staff could go for over 11 months without any form of security training, hugely increasing the risk of them accidentally clicking a malicious email, or worse.

The speed at which attacks evolve means that continuous training is the best way to keep employees up-to-date with what to look out for, as well as embedding cyber awareness into the company culture.

Who takes the initiative?

Security awareness training reduces the likelihood of employees falling victim to a cyberattack, yet which employee is responsible for organising the training? Such initiatives have been known to fall between the scope of several roles, with CIOs, IT managers, and even human resources known to pick up the mantle.

Advertisement
Advertisement - Article continues below

IT managers are understandably most enthusiastic about security awareness training, as they are well versed in cyber threats. They are burdened with at least a portion of responsibility in the event of a breach, and so typically are the people pushing for training to be deployed. But in most organisations they are overshadowed by a CIO who has one eye on a stretched IT budget.

Senior business managers may be resistant to training, since their employees' schedules would be disrupted. Though training does initially hamper productivity, in the long run eliminating security threats ensures a higher level of productivity. Needless to say, business managers usually play no more than a side-role in introducing training. 

For security to be given the attention it deserves at employee-level, it must be managed by the board. In the present day, CIOs are frequently given a chair at the top table in order to keep C-suite members aware of security issues and compliance risks. By acting as a bridge between IT managers and those at the top, the CIO can ensure the board of directors takes security seriously, going a long way to bolstering the security training programme within an organisation.

Advertisement - Article continues below

In all, the CIO would typically be responsible for bringing a security awareness program to the board, but for it to be successful, all within the organisation must buy-in to the initiative.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/security/data-breaches/354611/misconfigured-security-command-exposes-250-million-microsoft-customer
data breaches

Misconfigured security command exposes 250 million Microsoft customer records

23 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/mobile/5g/354634/boris-johnson-accused-of-doing-a-bit-of-a-runner-from-huawei-5g-questions
5G

Boris Johnson accused of doing "a bit of a runner" from Huawei 5G questions

27 Jan 2020