By: Darcy Kempa
May 24, 2021
By: Darcy Kempa
May 24, 2021
One of the best security measures for any organization is to improve employee security awareness. This is because an organization can enhance its cybersecurity team's efforts by educating and engaging all employees. This way, the employees can help reduce risky behavior, report suspicious emails or activities, and improve an organization's cybersecurity posture at little to no, additional cost.
Develop Interactive Training
Employee subject matter retention improves significantly when they can interact with the training material. This is because a newly learned skill can be applied in real-time, resulting in positive or negative feedback. This helps the student to see, and hopefully understand, any incorrect answers.
An example of this would be to show the student a fraudulent email with highlighted errors. The student is then expected to identify similar errors in a different email example. The submission is then graded, and any incorrect answers are pointed out to the student. This is better than the traditional slide presentation coupled with a test at the end of the course.
Make Security Awareness Relevant
Organizations have different employees fulfilling different roles and responsibilities. Security awareness should be tailored to these differences. There are two main reasons for this. First, there is no added value to provide education on a subject that an employee will never see or use on the job. For example, training someone on the proper use of external storage devices would be a waste of time if they never use them at work.
Second, focusing on a role relevant security awareness helps employees and managers understand the vulnerabilities specific to their jobs. This, in turn, will help senior management understand the scope of risks across the entire enterprise. For example, security awareness training relating to emails would apply to all employees, while database security may only be required for Human Resources or Accounting.
Utilize Real-World Examples
Security awareness, or the lack of it, is often best understood by analyzing incidents from other organizations. This information will normally identify the victim's previous beliefs, the hacker's entry path, the amount of damage, and possibly post-attack corrective actions. This benefits an organization by showing employees that threats exist and their role in security awareness is important.
Create Shorter but Better Training
Some organizations view security awareness as an annual training requirement. They give employees a deadline with the expectation that a dozen courses can be completed within a week or two. Employees then push their work aside and dedicate themselves to hours of presentations and tests. For these companies, the goal is compliance and not necessarily better-trained employees.
A different way to provide this training is to break it down into shorter and more manageable modules. The modules can then be provided throughout the year with less stress to the organization or employees. If an expected module completion time can be held to 20 minutes, the training can be completed during a break or lunch. This format also allows security awareness to be a monthly happening instead of an annual event.
Formalize Security Awareness
Formalizing security awareness provides authority to the endeavor and shows senior management support. Security awareness must be an "all-hands" effort supported by everyone, performed by everyone, and coordinated by someone. Senior management recognition supports this and allows training requirements to be imposed upon departments and divisions. Employees must understand that security awareness is not optional but rather a "must-have" to ensure network and data security.
Security Awareness Sources
The following are potential sources of information for security awareness information.
- News articles on successful hacks
- Relevant frameworks and controls
- Industry associations
- Manufacturer manuals
- Organization policies and procedures
Cybrary provides online training courses in information technology and cybersecurity. These courses cover a myriad of subjects, from project management to penetration testing to auditing.