Select Page
Community-Blog02

Employee Security Awareness Training: Why It’s Important

CISO Street Team

By the CISO Street Team

Employee security awareness is paramount when protecting your company from security threats since staying secure goes beyond having a good IT department.

What is employee security awareness? Employee security awareness is training your employees to recognize potential security threats for an organization’s physical and digital assets. Security is not one single department’s responsibility but rather every employee of an organization’s responsibility.

Why Is Security Awareness Training Important?

When managing an organization of people, those people are typically the weakest link in your cybersecurity chain. This isn’t an accusatory statement: While inattention to cybersecurity practices is common, the complex security and compliance tasks are often hard to follow for employees attempting to integrate them into their workflows.

And business leaders cannot ignore this issue. Consider the following statistics:

These types of attacks are all intimately linked to user behavior and knowledge—the exact place where awareness of proper security practices could mitigate breaches. Employees might understand the basics of privacy and security, but do they put them into practice? Furthermore, do they understand the specific requirements needed by your organization to meet compliance requirements?

Security awareness training is important because it meets employees where they are (their daily workflows) to provide critical information about how to avoid security risks and why performing specific security-related tasks is critical for their organization’s success.

Information security awareness and training isn’t a task, it is an investment. According to IBM, security breaches in 2021 cost an average of $4.24M–up nearly 110% from the previous year.

What Topics Should My Security Awareness Efforts Focus On?

While security threats are far ranging, there are several overarching categories under which attacks tend to occur. Your employees must understand the angles that attackers can take, from everyday emails to malware where users least expect it.

Some of the topics that an awareness program should focus on including the following:

  • Phishing Attacks (Spear and Whaling) and Social Engineering: Phishing is a hacking practice to fool employees into turning over private data and system access credentials. Generally, phishing comes in emails modified to appear as if they came from people in the organization. More focused forms of phishing use information related to high-level executives to fool these executives into turning over their own credentials.Employees must identify false messaging and understand how to report them to IT and security professionals in your organization. These skills should be trained for everyone in the organizational hierarchy, from temporary employees up to C-level executives.
  • Passwords, Authentication, and Access: One of the weakest points of an IT system is the identity and authentication management system, predominantly because many users will forego best practices. Training here should include creating and managing strong passwords, properly managing and securing passwords, and how to use different passwords for each account. 
  • Physical Device Protection: With more employees using mobile devices and laptops, device security is critical. Training here means providing best practices for ensuring device security, including never leaving devices out in public, using secure Wi-Fi networks, and not sharing information between secure and unsecured devices.
  • Mobile Device Access and Protection: Additionally, mobile devices for work purposes are also increasingly common. Employees need testing and practice on what is appropriate to do and not do on work devices to avoid malware and traffic hijacking and how to identify malicious apps (if installing apps hasn’t been blocked by administrators).
  • Social Media and Email Engagement: Social media can be a treasure trove of information for hackers to access and use as part of social engineering attacks. And most employees give it away freely on their accounts. Knowledge of proper social media use would include vetting information before sharing and understanding what information should be left inside corporate walls.
  • Remote Work Tools and Practices: Remote work is more common, and interactions with personal and professional apps and services can threaten the security of a professional network. Employees should have information and other resources on how to manage their devices and connect to business networks.

Some of these topics will be more relevant than others (remote work, social media engagement, etc.). Others, like password management and social engineering, are important for everyone in your organization.

How Can My Organization Implement Security Awareness Training?

Security awareness isn’t just about posters on a wall and some documents provided to employees during onboarding that they (may) read once before forgetting. It calls for regular, up-to-date training.

Some ways to approach your security awareness training include the following:

  • Assessing Current Training Standards: You must know where your awareness training efforts are at. It may be the case that preparedness in your organization is simply a bank of PDFs in an employee dashboard. This is a substandard approach, but it gives you a place to start thinking about what needs to be addressed. 
  • Establishing Awareness Plans and Policies: When actually planning training materials and policies, you can draw from two significant places: the assessments that you’ve already conducted and any compliance standards you must meet. This can seem counterproductive if you don’t have to meet compliance standards, but consider the cost.If your organization works in an industry with clear information privacy and protection standards, those standards will most likely include training and requirements. If you aren’t following a compliance framework, then ask yourself, why not? Even following a framework like SOC 2 or ISO 27001 can provide a path toward developing best practices for training.
  • Create Training Materials, Courses, and Requirements Around Clear Goals: Put into place curricula, courses, and continuing requirements that meet both compliance needs and the demands of your business.If working in a rapidly transforming industry, then training and security awareness should be equally responsive to change with regular updates and education. Likewise, industries with technical security requirements should have training, documentation, and internal experts on hand to address security awareness for all implemented systems.
  • Staff Experts for Training: Training isn’t just a book exercise. Your organization should have dedicated managers and trainers in place to support awareness. Large companies might have entire teams tasked with managing awareness and documentation, but even smaller businesses can have people in place who know the infrastructure, who know compliance requirements, and who can either implement training or work with third-party vendors to provide it.

Developing Awareness and Training for Secure Business Operations

Secure business infrastructure isn’t a luxury anymore. Not only are enterprises and small-to-midsize businesses facing rising cybersecurity threats, but the interactions between private businesses and public agencies create even more avenues through which malicious actors can destabilize U.S. interests. The cornerstone of protecting such infrastructure is security awareness training.

Sign up for our newsletter to learn more about cybersecurity infrastructure and practices IT and business leaders can employ to protect themselves and their stakeholders.

The CISO Street Team is a group of experts and professionals working in enterprise IT security and management, providing insight into foundational questions of cybersecurity, information governance and compliance.

RELATED POSTS

Stagehand: S1 Episode 8

Stagehand: S1 Episode 8

Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before...

Stagehand: S1 Episode 7

Stagehand: S1 Episode 7

Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...

Stagehand: S1 Episode 6

Stagehand: S1 Episode 6

Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time.  He’d always been good at school. He attended Boston College where his parents thought he might pursue...

What Is Zero Trust Anyway?

What Is Zero Trust Anyway?

About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...

Stagehand: S1 Episode 5

Stagehand: S1 Episode 5

Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...

Ransomware: When Policy Matters Most

Ransomware: When Policy Matters Most

Most CISOs divide their approach to cyber defense into three pillars: people, technology, and processes. These pillars define a cybersecurity program’s defensive architecture and arsenal, available assets, and policies and procedures that together inform...

Zero Trust Architecture: Never Trust, Always Verify

Zero Trust Architecture: Never Trust, Always Verify

By the CISO Street Team Zero trust architecture has protected many companies from attacks. However, it’s not the best security for every network. How do you know if it’s right for you? What is a zero trust approach? A zero trust approach is a security model that...

Selling to a CISO? Practice Empathy, Not Salesmanship

Selling to a CISO? Practice Empathy, Not Salesmanship

The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...

The Risk of Measuring Risk

The Risk of Measuring Risk

Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...

Stagehand: S1 Episode 4

Stagehand: S1 Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Good Enough Isn’t Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses...

Mitre Disrupting Advanced Persistent Threats
Share This