Security Awareness Training: Everything You Need To Know (FAQs)
What Is Security Awareness Training?
Security awareness training is an educational program given to a company’s users in order to educate them about current and topical cybersecurity issues, security hygiene, and the dangers one can encounter when traversing the web. It strives to educate users on the steps they can take to protect themselves and the company network when faced with a range of real life cybersecurity challenges, training them to think independently and critically.
3 Key Questions To Ask SAT Vendors
- How Is The Training Given?
Let’s face it, no one likes having reams of information to read on a PowerPoint slide. It inspires people to switch off rather than engage, rendering your expensive SAT program ineffective against threat actors. More successful and impactful SAT programs model themselves on the principle of kinesthetic learning–or, learning by doing.
The best SAT programs will blend interactive videos, presentations, and quizzes that allow users to learn in a fun, creative, and memorable way at a pace that suits them. This interactive approach to learning helps your users to think critically–an important skill to have when they are inevitably faced with a real phishing email in their inbox and it’s down to them to respond accordingly.
- How Frequently Is The Platform Updated?
The threat landscape is one that is ever changing. It’s a universal fact of (cybersecurity) life. The threats and attacks we see today have come a long way from fifteen, ten, and even five years ago. They’re getting more nuanced and more sophisticated, as well as finding more avenues to capitalize on. With threat actors constantly devising new schemes, your users need to stay ahead of the curve. As such, it’s important your users stay ahead of the curve with up-to-date training modules. When inquiring about SAT programs, be sure to ask how frequently the product is updated with new and current training modules.
- Does The Platform Include Phishing Simulations?
Phishing simulations, considered an important part of SAT, is simulated phishing emails sent out to users in order to continue to train and test the knowledge of a company’s users to see how they respond to “real” phishing emails in their inboxes. A lot of people tend to respond well to reinforced and repetitive learning, so after SAT programs have ended, phishing simulations can be configured to be deployed immediately after to help reinforce what users have learned and continue to help them think critically. These simulations are also important in flagging with admins who need further training. While most SAT vendors include phishing simulations as part of the package, not all of them do, so it’s worth inquiring while shopping around.
Why Do I Need SAT Training For My Users?
While a lot of the technology that has been developed to tackle cybersecurity threats, there are still attacks that evade these defenses. There are plenty of phishing scams that slip past these security parameters and tools, as well as more direct attacks that can occur within your company building that your users might not notice.
Essentially, there will be plenty of times when the last line of defense between your company and a devastating breach and data loss is your users–so having them trained for these eventualities is absolutely critical.
Security awareness training teaches your users to think critically about their information and data hygiene, how they communicate, what they get in their inbox, and how to act and store information in their physical offices.
Features To Look For In A Security Awareness Training Solution
Some of the top features you need to consider when making a purchasing decision on SAT solutions are:
The topics that the training program offers are incredibly important. These are the learning modules that your employees will go through, and what is on offer is very important in shaping your workforce’s understanding of cybersecurity.
- Email-Based Phishing: Perhaps the most important topic of the training will be email phishing attacks and other email borne attacks. Globally, 81% of companies have seen an increase in email phishing attacks since early 2020. To say the problem is unprecedented is understating things. While email security tools do an excellent job at filtering out most threats, they’re not infallible and some things do slip past your defenses, and when they do your end-users need to be ready. It’s not necessarily a topic you need to look out for as any SAT worth its salt will cover email attacks, making sure that the training is extensive, in depth, and up to date is important. Email phishing attempts are getting more and more sophisticated, so SAT vendors also need to make sure they’re offering training that is constantly being updated and refined.
- Other Forms Of Phishing: It’s also important to note that while email phishing is the number one instance of phishing, email isn’t the only vector used by attackers. Phishing attempts can be instigated through other platforms, such as collaborative work applications, SMS messages, and more. The same logic and training for email phishing also applies to other avenues, teaching your employees to be wary of links and attachments and strange requests.
- Remote Working: while remote working isn’t a new phenomenon, it’s certainly taken off in recent years (looking at you, COVID) and there’s been increasing discourse in the cybersecurity industry on how to handle this ever changing, flexible new network perimeter. Remote working can open up new avenues for attacks, and a lack of coworkers around means people are less likely to seek advice or are unable to seek immediate advice if they receive a suspicious email. A good topic to look out for, if you have a remote or hybrid workforce, is one that covers how to work remotely safely.
- Password Security: Passwords are the number one method of authentication the world over. Online accounts for both work and personal applications are accessed with a username and a password, with the username often being the user’s email address. The problem with passwords is, due to their prevalence and not necessarily being that secure, they’ve become a huge attack vector for threat actors to take advantage of. Managing passwords can be hard and there’s a lot for your employees to consider, such as making sure they’re long and unpredictable, not reusing them, and storing them safely. Training modules that cover good password hygiene is critical to your network’s overall health. It educates your employees on how to safely store passwords, both digitally and in the office, and how to manage them.
- Data Management And Handling: Data is the most precious (and copious) thing a company has. A lot of the data a company handles is usually highly sensitive, containing information on customers, clients, and employees. It will also contain data on company records, plans, stats, and more. Basically, it’s all the stuff you’d want to keep inside the company and make sure it doesn’t go anywhere it’s not supposed to. Good SAT solutions will offer training on appropriate data handling, specifically covering how your users should access this data, where to access it, where to store it, how to keep it safe at all levels, and how to prevent potential data loss and leakages.
- Practical Guidance: While less concerned with actual measures concerning cybersecurity, good SAT solutions will run training on how your users should act and behave while they’re in the office. Another term for this is office hygiene. Not everyone who walks in and out of the office will necessarily have your company’s best interests at heart, so employees need to act accordingly in how information is stored and presented in the office. This could be how they manage and store physical data, to something simply like why they shouldn’t write down passwords for their work accounts. Employees need to operate on what is referred to as a “clean desk” policy–i.e., sensitive information shouldn’t be on any physical medium and in full display where threat actors or malicious insiders can access it. This includes documents or even sticky notes. Modules on practical guidance essentially teaches employees how they can help protect data, their computers, additional devices, and their actual physical office from threat actors.
- Privacy Compliance: A lot of organizations handle a lot of sensitive information and data, including healthcare, educational, and financial organizations. Topics on privacy can help educate your team on how to keep this data safe and keep the company compliant with privacy regulations.
- Removable Media: Removable media is the term used for any storage devices that can be attached to and disconnected from computers while the system is running, which includes things like USBs and CDs. While they’re handy for users, they’re also handy for threat actors as they can be leveraged to install malware and ransomware on company networks if compromised. Often, any harmful content downloaded can be executed to run automatically and can bypass most cybersecurity measures put in place. Removable media can also contain sensitive information, which needs to be stored safely and properly to make sure it isn’t stolen. Employees should be taught to be suspicious of any untrusted or unknown removable media and should bring it to their IT team for scanning first.
Other important topics to look out for when looking at SAT solutions include malware and ransomware, how to traverse the internet safely, and mobile device security.
Gamification is essentially adding game features to the training program in order to make it more engaging, memorable, and fun for your users. Let’s face it, security awareness training isn’t exactly everyone’s idea of a fun activity, and a lot of your users will be liable to switch off mentally and not take anything in, which defeats the purpose of putting them through the training in the first place.
Gamification can take on various forms. It can mean the incorporation of interactive quizzes and other media, highly stylized and animated videos, or role-playing game features. It makes the information easier to consume and makes your users less liable to mentally switch off during the training. Game-like aspects of the training also help your end-users critical thinking skills when it comes to thinking about potential scenarios.
While gamification adds a fun spin on things, the fact that it makes the training look good isn’t the sole reason. The whole point of gamification in SAT is to make the training memorable. Kinesthetic learning–i.e., learning by doing–is hugely beneficial in making sure things stick.
SAT often goes hand-in-hand with phishing simulations. Often designed to be deployed straight after training is complete, phishing simulations send fake phishing emails to your users to test their knowledge and help them to identify threats and report them. Phishing attacks pose one of the biggest–if not the biggest–threats to companies. Downloading a harmful file or clicking on a malicious link can open your network to follow up attacks (such as ransomware attacks), security breaches, and data exfiltration and losses. Not only do email phishing attacks have the potential to be devastating, they’re also highly prolific.
A lot of the potential dangers covered in the topics above are contextual and might not look the same in practice than it does in theory. Attackers deploy a range of techniques and tactics–both technical and psychological based–in order to dupe the receiver. In some instances, the tell-tale signs of a phishing email might not even be there. Phishing simulations help admins know that users have not only completed the training but understood it as well. Where SAT lays down the framework and tools for your users, phishing simulations helps them put their knowledge to practice.
When looking at vendors, one of the key things to look out for with phishing simulations is their email templates. Good phishing simulation solutions will come with hundreds, if not thousands, of email phishing templates for you to use. If you’re looking for something more specific and want to emulate spear phishing tactics, customization is a good feature to look out for. You should then be able to configure the simulation to run as frequently–or as infrequently–as you like.
For your users, they will be presented with a series of fake phishing attempts they must respond to. If training has been successful, they will report and block the offending email. If an employee has failed the simulation by clicking or downloading any attached content or failing to flag it with admins, then they can be re-enrolled in further support and training. It’s important to note that good phishing simulation tactics are there to support and aid your users, rather than “punish” them for failing the simulation. Feedback and support need to be done with care, otherwise users who have failed may feel disillusioned with the training overall and be less receptive to further training.
Good SAT solutions will come with extensive and detailed reporting logs on your users, their level of progress within the training program, and any results collated after phishing simulations have been deployed. From there, admins can see who is doing well, who needs further support, and who isn’t taking in anything at all. Some SAT solutions will offer “grading” on users, showing admins clearly how far along and how well users are doing ni each category.