No matter how far we advance, you can always rely on human error. Human error is the universal constant that someone, somewhere, is doing something they shouldn’t be. It’s not malicious, that’s a whole other bag. No, human error comes down to lack of understanding or lapse in judgment. And we’re all guilty of it. There’s not a person alive (or dead, for that matter) that can say with the utmost confidence that they’ve never made a mistake in their lives.
But the pervasiveness and inevitability of human error poses a huge problem for businesses and, more often than not, can prove costly. Human error is a huge contributing factor in some of the messiest and financially devastating security breaches. In a report commissioned by the World Economic Forum, the Global Risks Report 2022 revealed that 95% of breaches were caused by human error or, put another way, someone doing or clicking on something they shouldn’t have.
The answer to your problem? Security awareness training.
What Is Security Awareness Training?
Security Awareness Training (SAT) is a training program deployed by IT admins for their company’s users to train them on potential cybersecurity risks and dangers, and what actions they can take to mitigate and prevent those risks. It’s important to have your employees properly trained on potential cybersecurity risks, as often the only thing that ends up standing in the way of a security breach and your company is your users.
There are a huge number of Security Awareness Training solutions on the market today, coming in a variety of shapes and sizes. In the majority of cases, training is delivered via a series of short, online course with multiple modules that cover areas of potential risk within a company and what users can do to prevent serious breaches and data leaks from happening.
Important topics will cover things like email phishing scams (malicious emails sent by attackers that carry malware or links to harmful websites), educating employees on what they are, how to spot one, and to respond accordingly when they get one in their inbox. Many may include simulation, involving sending realistic-looking phishing emails to users, designed to test people’s ability to spot the real thing.
While email-borne threats are often the focus of these training sessions, programs also cover a range of other topics which can prove useful, which we’ll look at a bit later.
Why Security Awareness Training?
You can throw as much money as you like at your cybersecurity infrastructure, but it’s not infallible. Tactics like phishing scams are getting more sophisticated and some can slip past email defenses, or an employee can accidentally exfiltrate data by sending files to the wrong recipient. In these instances, your employees often end up being your last line of defense and with this last line of defense you need them properly trained. SAT helps your users to think more critically and independently, so they’re able to spot and respond to a developing or potential attack when they see one.
For a lot of companies, SAT is actually a legal requirement. For organizations that have strict industry regulations to comply with (think PCI or HIPAA), SAT is a legal industry requirement that companies must fulfill periodically. Yet even though not all organizations need SAT to fulfill these requirements, it’s something every organization can benefit from. It helps your organization keep your data safe through creating a more informed, properly trained workforce.
How To Choose A Security Awareness Training Solution
When it comes to finding the right SAT vendor for your business, it can be difficult. There are a lot of SAT providers on the market today, and at first glance they all seem to offer the same thing.
However, there are certain features that are important to look out for and there are often subtle differences in approach between different providers. That said, there’s a few things to keep in mind when choosing a solution.
Features To Look For In A Security Awareness Training Solution
Some of the top features you need to consider when making a purchasing decision on SAT solutions are:
The topics that the training program offers are incredibly important. These are the learning modules that your employees will go through, and what is on offer is very important in shaping your workforce’s understanding of cybersecurity.
- Email-Based Phishing: Perhaps the most important topic of the training will be email phishing attacks and other email borne attacks. Globally, 81% of companies have seen an increase in email phishing attacks since early 2020. To say the problem is unprecedented is understating things. While email security tools do an excellent job at filtering out most threats, they’re not infallible and some things do slip past your defenses, and when they do your end-users need to be ready. It’s not necessarily a topic you need to look out for as any SAT worth its salt will cover email attacks, making sure that the training is extensive, in depth, and up to date is important. Email phishing attempts are getting more and more sophisticated, so SAT vendors also need to make sure they’re offering training that is constantly being updated and refined.
- Other Forms Of Phishing: It’s also important to note that while email phishing is the number one instance of phishing, email isn’t the only vector used by attackers. Phishing attempts can be instigated through other platforms, such as collaborative work applications, SMS messages, and more. The same logic and training for email phishing also applies to other avenues, teaching your employees to be wary of links and attachments and strange requests.
- Remote Working: while remote working isn’t a new phenomenon, it’s certainly taken off in recent years (looking at you, COVID) and there’s been increasing discourse in the cybersecurity industry on how to handle this ever changing, flexible new network perimeter. Remote working can open up new avenues for attacks, and a lack of coworkers around means people are less likely to seek advice or are unable to seek immediate advice if they receive a suspicious email. A good topic to look out for, if you have a remote or hybrid workforce, is one that covers how to work remotely safely.
- Password Security: Passwords are the number one method of authentication the world over. Online accounts for both work and personal applications are accessed with a username and a password, with the username often being the user’s email address. The problem with passwords is, due to their prevalence and not necessarily being that secure, they’ve become a huge attack vector for threat actors to take advantage of. Managing passwords can be hard and there’s a lot for your employees to consider, such as making sure they’re long and unpredictable, not reusing them, and storing them safely. Training modules that cover good password hygiene is critical to your network’s overall health. It educates your employees on how to safely store passwords, both digitally and in the office, and how to manage them.
- Data Management And Handling: Data is the most precious (and copious) thing a company has. A lot of the data a company handles is usually highly sensitive, containing information on customers, clients, and employees. It will also contain data on company records, plans, stats, and more. Basically, it’s all the stuff you’d want to keep inside the company and make sure it doesn’t go anywhere it’s not supposed to. Good SAT solutions will offer training on appropriate data handling, specifically covering how your users should access this data, where to access it, where to store it, how to keep it safe at all levels, and how to prevent potential data loss and leakages.
- Practical Guidance: While less concerned with actual measures concerning cybersecurity, good SAT solutions will run training on how your users should act and behave while they’re in the office. Another term for this is office hygiene. Not everyone who walks in and out of the office will necessarily have your company’s best interests at heart, so employees need to act accordingly in how information is stored and presented in the office. This could be how they manage and store physical data, to something simply like why they shouldn’t write down passwords for their work accounts. Employees need to operate on what is referred to as a “clean desk” policy–i.e., sensitive information shouldn’t be on any physical medium and in full display where threat actors or malicious insiders can access it. This includes documents or even sticky notes. Modules on practical guidance essentially teaches employees how they can help protect data, their computers, additional devices, and their actual physical office from threat actors.
- Privacy Compliance: A lot of organizations handle a lot of sensitive information and data, including healthcare, educational, and financial organizations. Topics on privacy can help educate your team on how to keep this data safe and keep the company compliant with privacy regulations.
- Removable Media: Removable media is the term used for any storage devices that can be attached to and disconnected from computers while the system is running, which includes things like USBs and CDs. While they’re handy for users, they’re also handy for threat actors as they can be leveraged to install malware and ransomware on company networks if compromised. Often, any harmful content downloaded can be executed to run automatically and can bypass most cybersecurity measures put in place. Removable media can also contain sensitive information, which needs to be stored safely and properly to make sure it isn’t stolen. Employees should be taught to be suspicious of any untrusted or unknown removable media and should bring it to their IT team for scanning first.
Other important topics to look out for when looking at SAT solutions include malware and ransomware, how to traverse the internet safely, and mobile device security.
While this feature may not seem as important as other features on this list, having SAT that has gamification attributes is one to look out for and consider before making a purchase. Gamification is essentially adding game features to the training program in order to make it more engaging, memorable, and fun for your users. Let’s face it, security awareness training isn’t exactly everyone’s idea of a fun activity, and a lot of your users will be liable to switch off mentally and not take anything in, which defeats the purpose of putting them through the training in the first place.
Gamification can take on various forms. It can mean the incorporation of interactive quizzes and other media, highly stylized and animated videos, or role-playing game features. It makes the information easier to consume and makes your users less liable to mentally switch off during the training. Game-like aspects of the training also help your end-users critical thinking skills when it comes to thinking about potential scenarios.
While gamification adds a fun spin on things, the fact that it makes the training look good isn’t the sole reason. The whole point of gamification in SAT is to make the training memorable. Kinesthetic learning–i.e., learning by doing–is hugely beneficial in making sure things stick.
SAT often goes hand-in-hand with phishing simulations. Often designed to be deployed straight after training is complete, phishing simulations send fake phishing emails to your users to test their knowledge and help them to identify threats and report them. Phishing attacks pose one of the biggest–if not the biggest–threats to companies. Downloading a harmful file or clicking on a malicious link can open your network to follow up attacks (such as ransomware attacks), security breaches, and data exfiltration and losses. Not only do email phishing attacks have the potential to be devastating, they’re also highly prolific.
A lot of the potential dangers covered in the topics above are contextual and might not look the same in practice than it does in theory. Attackers deploy a range of techniques and tactics–both technical and psychological based–in order to dupe the receiver. In some instances, the tell-tale signs of a phishing email might not even be there. Phishing simulations help admins know that users have not only completed the training but understood it as well. Where SAT lays down the framework and tools for your users, phishing simulations helps them put their knowledge to practice.
When looking at vendors, one of the key things to look out for with phishing simulations is their email templates. Good phishing simulation solutions will come with hundreds, if not thousands, of email phishing templates for you to use. If you’re looking for something more specific and want to emulate spear phishing tactics, customization is a good feature to look out for. You should then be able to configure the simulation to run as frequently–or as infrequently–as you like.
For your users, they will be presented with a series of fake phishing attempts they must respond to. If training has been successful, they will report and block the offending email. If an employee has failed the simulation by clicking or downloading any attached content or failing to flag it with admins, then they can be re-enrolled in further support and training. It’s important to note that good phishing simulation tactics are there to support and aid your users, rather than “punish” them for failing the simulation. Feedback and support need to be done with care, otherwise users who have failed may feel disillusioned with the training overall and be less receptive to further training.
Not all SAT solutions out there come with built-in phishing simulation features, so it’s something to keep an eye out for. Phishing simulation solutions can be purchased separately, but overall, having a solution that blends the two features is preferable and more cohesive.
Of course, it’s no good just training and testing your employees if you don’t know anything about their progress or level of knowledge or know about it and not do anything with that information. Good SAT solutions will come with extensive and detailed reporting logs on your users, their level of progress within the training program, and any results collated after phishing simulations have been deployed. From there, admins can see who is doing well, who needs further support, and who isn’t taking in anything at all. Some SAT solutions will offer “grading” on users, showing admins clearly how far along and how well users are doing ni each category.
Practical Things To Consider
Of course, aside from all the hot features to look out for, it’s also worth considering the product itself and how it’s going to run. What is managing and maintaining the program like? How much work is it for admins? How much does it cost? How functional is the program? It’s not worth paying for an expensive SAT solution that ends up being too costly and tricky to deploy for a small team. Keeping these tenets in mind while considering a product is a step in the right direction.
Another practical thing to consider is “how is the information presented?” Generally, people don’t respond well to reams of information all at once. Content that is presented in bite-size chunks, spread out over a few days, and is in an easily digested format is the best approach. Some training and phishing solutions are offered in real-time, with real-time training alerts. The industry is forever changing and innovation is happening constantly, with lots of different features to look out for.
And finally, the last thing to consider, alongside everything mentioned above, is how are your employees going to respond to the training? After all, they’re the stars of the show and the SAT program needs to be something they’re going to enjoy (or at least pay attention to) and respond well to. It needs to suit your company’s demographic.
A workforce that’s predominantly in the age 40 and over category probably isn’t going to respond well to an off-the-wall, anime-style training program. Nor are a bunch of 20-somethings new to the workforce probably going to enjoy cut-and-dry training videos that prioritize info-dumps over intuitive and kinetic learning. Sound boarding with your users is a good step in the right direction before choosing an ill-fitting program that ends up costing you time and money.
Keeping your employees in mind and looking out for the features listed above can help you make a better, more informed decision on your SAT solution. And remember, your cybersecurity strategy is only as good as how trained your users are.
The Top 10 Security Awareness Training Solutions For Business