There’s nothing so pervasive as human error. To err is human. This human error poses some serious real-world problems, particularly when cybersecurity is concerned. You can have the best security solutions money can buy, but your network security is only as strong as your weakest link.
Most breaches are caused by human error, about 82% according to Verizon in their 2022 report. These errors are usually when someone in your network makes an incorrect snap judgment – whether that’s clicking a malicious link, downloading a harmful file, or mismanaging saved data and archives.
In order to mitigate instances of human error, companies have introduced Security Awareness Training (SAT) to their users. SAT is a training program that educates users about common cybersecurity threats, how to respond to something suspicious, and proper cyber hygiene to protect the network.
SAT has become a vital solution that isn’t just a smart business move– In recent years, it has become a requirement from regulatory organizations. This will depend on your industry, the location you are operating in, and the data that you are dealing with. Ensuring that your users are properly trained on how to identify a cyberattack is mandated by HIPAA, GDPR, GLBA, PCI-DSS, and NIST regulatory framework. SAT is such a common requirement because it is simple to do but has very successful results. It can prevent and mitigate severe harm from threats, breaches, losses, and attacks.
What Is Security Awareness Training?
SAT is an education program that is created to train end-users to learn about potential cybersecurity risks and threats, then train them on how to mitigate these risks and prevent threats from either occurring or worsening.
SAT is so important as, very often, your users end up being the last line of defense. If a threat has made it through your firewall or secure email gateway without being detected, you want to ensure that your employees know what to do. By knowing the key indicators, and how to react, they can prevent your company from suffering a massive data loss or breach.
In practice, SAT courses are often a series of short informational videos or interactive quizzes on a variety of different topics. There will be some basic, essential modules, and others that might be more appropriate for specific job roles or sectors. The content covers various problems, dangers, and scenarios your users may encounter in the workforce. Common and important topics covered in modular training include things such as:
- Email phishing scams,
- Identifying malicious websites,
- Appropriately handling and storing sensitive information
- Maintaining good password and credential hygiene.
Compliance And Security Awareness Training
SAT, in addition to ensuring your users follow best practices, has become an important requirement by multiple regulatory bodies. It’s important to have your users properly trained and educated as cyberattacks will target the ill-informed and the most trustworthy users.
While for some organizations SAT won’t be a requirement, it is still beneficial to have it. If your industry handles sensitive personally identifiable information (PII), there will be tighter regulations on the amount and frequency of training required. In some cases, not every single user within your network will need training. It will only be at-risk users, or those with privileged access.
Who Needs To Stay Compliant?
HIPAA details how sensitive, personal, and identifiable information is maintained by healthcare organizations and associated third-parties. It was created to protect information from a range of threats, including fraud, theft, and sharing of information with malicious intent. All healthcare organizations under this act are prohibited from sharing or disclosing any patient information to anyone other than the patient, or any authorized representatives. There must be explicit permission, or permission from someone who has power of attorney, before any information can be disclosed. HIPAA was created to protect patients’ autonomy and keep their private medical information confidential.
So, where does SAT come in? In clause “2(b)(1) Standard: Training”, the regulation explains that healthcare organizations must train all members of their workforce on policies and procedures that pertain to protecting patients’ health information. It goes on to specify that organizations should deploy a security awareness and training program for everyone, including management, on how to safely handle and archive sensitive patient information, in clause 5.
In some cases, SAT is not explicitly called for, but is commonly understood as best practice. This is true of the Sarbanes-Oxley Act (SOX). SOX is a US federal law that requires every public organization to retain their financial records for future use and reporting, for a minimum of seven years after an audit. The act explains that the data should be stored in encrypted, tamper-proof archives. Employees should be adequately trained on how to collate, access, and back up their company’s sensitive financial data in a safe, secure, and appropriate way.
SOX was born out of the financial mismanagement of Enron. You can read more about this history in our Email Archiving article:
People do not think of their archives as a vulnerability – but any data is a target for hackers. These archives need to be properly maintained to ensure they are secure. Users must also know how to properly collect data and information, store it, and back it up in the archive, in order to help your organization stay compliant. It is vital that users understand the importance of maintaining best practices concerning archiving and backing up data. As with HIPAA, failure to remain compliant could lead to fines, penalties, and legal proceedings.
Payment Card Industry Data Security Standard (PCI-DSS) is a standard applicable to organizations that deal with credit cards. This is often financial organizations, particularly retailers. PCI-DSS requires that training must be provided to staff so they can be aware of cybersecurity threats such as socially engineered attacks, spoofing, and impersonation. PCI-DSS further states that this training should be delivered at least annually.
For more on PCI-DSS and how to stay compliant if it applies to you, check out our in-depth guide on how here:
PCI DSS Compliant Security Awareness Training: A Comprehensive Guide
General Data Protection Regulation (GDPR) is an EU regulatory framework that concerns data protection and privacy within the European Economic Area (EEA). It focuses on ensuring that private data is held and shared securely and with a user’s knowledge. GDPR was created so that individuals can have greater control over their data, how it is used, and how it is stored by organizations. It has also been proven to be beneficial in simplifying and standardizing privacy and data regulations for EU and EEA citizens. As it also concerns the transfer of data outside these areas, it is also imperative for any non-EU organizations that deal with EU and EEA data to stay compliant with GDPR. In other words, if your organization has European clients, you will need to ensure that you are compliant with this regulation.
GDPR explains that organizations need to implement a SAT program that educates staff on the risks and threats affecting personal information that is stored. Users should know how it is being handled, and who it is transferred to.
The Gramm–Leach–Bliley Act (GLBA) is an American law that requires financial organizations – such as financial advice, loan companies, and insurance organizations – to provide their clients and customers with details of how their data is handled. This will explain how customer information is stored and shared – with emphasis on how the organization will protect their clients’ sensitive data and information. GLBA specifies that training should be given to all employees, regardless of their role. The training should cover what customer information is, how it should be looked after internally, and proper procedures for sharing this information with authorized parties.
What To Look For In A SAT Solution
With so many vendors crowding one market, it can be difficult to work out what solution is the best one for your organization and your users. Here’s some of the things to look out for when trying to decide.
Engaging Content And Interactive Training
Your users’ response to the SAT solution is a key factor as you’ll want to ensure that they are engaged enough to learn. They’re your target audience and, so ensuring they respond well to the training is critical to the success of the training. It’s important that the training is interesting, relevant, and engaging. Training that isn’t interesting or relevant is not only a waste of time but increases the risk of your users mentally “switching off” during the training. This prevents them from learning, meaning that none of the information is taken in.
So, what does engaging training and content look like? It often comes in the form of gamification.
Gamification refers to the practice of turning activities into a game. By making it fun and challenging, users are encouraged to engaging more as they are enjoying themselves. The aim of introducing gamification to SAT is that if a user finds it enjoyable, it is more likely that the information sticks with them. Things that are more fun, interactive, and engaging are usually more likely to be remembered. Gamification also ensures that end users are actively taking part in the training, rather than passive observers. By making users interact, you are preparing them for how to respond to a real threat. Gamification usually entails interactive quizzes, animated videos, scoreboards, and game-like features.
From a user perspective, you only want to do modules that are relevant to your job. From an admin perspective, you want to ensure that there is a vast array of topics to ensure your users are taught the relevant information. In some cases, not every user is going to need the same training modules – this depends on what privileges and responsibilities a user has. It is important to assess which of your users will need more and specific training, in addition to the standard SAT that every user should receive.
Common topics that most users should go through include:
- Phishing: This is one of the common methods that attackers will use to access your network. It’s cheap and easy to build a phishing scam, and threat actors can send out thousands of emails at once with the press of a button. Text messages are also proving to be an effective phishing method – you need to ensure that users are prepared for attacks in whatever form they take.
- Password hygiene: Passwords, despite being the most common way we login to apps and websites, aren’t that secure and are easily compromised. Verizon’s Data Breach report identified that over 80% of breaches are caused by stolen credentials. It is important that users understand the importance of choosing good passwords, as well as how to keep them secret. We all know that we should have different passwords for different accounts, but some users might be more willing to share their password with an “admin” user. In reality, this could be a hacker impersonating a trusted user.
- Data management and handling: This is an important topic to look for and deliver to your users when it comes to making sure your organization remains compliant with relevant laws. Users should know how to manage data, booth when it is at rest and when it is in transit. SAT that covers data handling is an imperative for industries and users who interact with confidential data.
- Privacy compliance: As mentioned above, a lot of organizations have to handle private and sensitive data – this can be anything from patient data to financial data. Users need to be adequately trained on what compliance guidelines they must adhere to and how to maintain privacy for clients at all times. There are different ways to handle different types of data, and in different jurisdictions. Ensuring that your employees are aware of these differences can save you time and legal proceedings.
These are the most common topics that should be covered by an SAT solution. Other relevant topics include online safety, digital behavior (especially while working remotely), and guidance on how to manage removable media – such as USBs and hard drives. These physical objects can be stolen or hacked, thereby putting sensitive data at risk.
It’s all well and good putting your end-users through training, but it’s important to make sure that the training has worked. One of the best ways to do this is through simulated phishing attacks. More often than not, these will be email phishing attempts, though some vendors are starting to offer SMS phishing simulations. This prepares your users for the realities of the attacks they might face.
Phishing simulations can be designed by admin users to target employees who have recently finished their SAT training. They’re can reveal how much of the training a user has taken in, and where they might need further instruction. Users who respond poorly to the simulation can be identified, and asked to complete further training, or face more simulated phishing attacks.
In a phishing simulation, users will be sent a realistic phishing email. If the user responds to the phishing email rather than reporting it, admins will be informed. The user will be warned that they have failed a phishing simulation, and the link or download is a scam. This highlights who has learned from the training and who hasn’t.
A lot of SAT vendors, if not all, have phishing simulations as part of the package. It’s good to look for some specific capabilities with the phishing simulation side of the solution. Phishing simulations should be:
- Highly configurable, with admins able to deploy attacks as frequently as they like
- Have a large library of templates and the ability to customize your own phishing content
- Some vendors offer SMS phishing simulations–this is particularly useful in organizations that have frequent phone use or work mobile phones for certain users.
- Frequent content and simulation updates as attack trends develop
Reporting And Analysis
SAT solutions should always come with strong reporting and analysis capabilities. It is important to understand your users’ progress and results when completing phishing simulations or any other additional testing.
Reporting on user progress is important for admins to know exactly who is doing well and has engaged with the training, who has failed and needs further training, or who is yet to begin. SAT solutions should have extensive and detailed reporting on each of your users’ progress. This report should also detail results of phishing simulations and ascribe a risk score to users. Reporting and analytics highlight who may need further assistance with their training or additional training.
For more on the top features to look out for and how to choose a solution that is a perfect fit for your end users, check out our blog here:
SAT has a wealth of benefits for your organization and your users. SAT and simulated phishing attacks help to train users on the dangers they can encounter online, how to protect data, and how to approach risks with caution. With a lot of phishing attacks, a user’s judgments are the last line of defense between your organization and a breach. It is important that you give them all the tools to accurately and effectively use this judgement.
The fact that SAT is adopted as a requirement by a range of compliance laws isn’t all that surprising when you consider how effective it is. Data and information are an asset, and an organization should handle it with caution, care, and respect at all times.
While this article has looked at a few of the most well-known regulations, there are a lot more regulatory bodies out there that can be a requirement of your organization. It is worth reading up on regulation relevant to your organization to ensure you are doing all you can.
At the end of the day, even if your organization doesn’t need SAT to stay compliant, deploying SAT and phishing simulations puts your organization in a more secure position. For a head start on some of the best SAT solutions, check out our buyer’s guide here: