What is the purpose of a security awareness program What advantage does an awareness program have for the Infosec program?

What is security awareness training?

Security awareness training is a formal process for educating employees and third-party stakeholders, like contractors and business partners, how to protect an organization's computer systems, along with its data, people and other assets, from internet-based threats or criminals.

In crafting a good security awareness training program, companies should emphasize to employees the criticality of protecting the organization and provide an overview of the corresponding corporate policies and procedures that cover how to work securely and who to contact if they discover a potential threat.

They should also tailor the program to reach employees of all levels at different stages of their employment to keep cybersecurity a top priority and prevent any employee, whether brand new or decades in, from endangering the company.

Why is security awareness training important?

The main benefit of cybersecurity awareness training is protection from attacks on digital systems or a data breach.

Preventing such incidents is critical because a successful cyber attack can financially cripple an organization and significantly harm its brand reputation.

The 2021 "Cost of a Data Breach Report" from IBM and the Ponemon Institute put the average cost of a data breach among the surveyed companies at $4.24 million per incident -- up from the prior year's cost of $3.86 million and the highest cost in 17 years.

The volume of attacks against organizations is also growing.

Verizon's "2021 Data Breach Investigations Report" studied 29,307 incidents and reported a total of 5,258 confirmed data breaches had occurred, up from 3,950 confirmed breaches out of 32,002 incidents reported in 2020. The Internet Crime Complaint Center also reported a spike in cyber incidents in its 2020 report. Phishing attacks reportedly jumped from 114,702 in 2019 to 241,342 in 2020, along with 19,369 business email compromise and email account compromise complaints filed with adjusted losses of more than $1.8 billion.

According to "The State of Email Security Report" from IT security firm Mimecast, more than 60% of companies surveyed suffered a ransomware attack in 2020. It reported a 64% increase in email threats in 2020, with 79% of organizations claiming lack of cybersecurity preparedness hurt them.

Cybersecurity experts generally agree humans tend to be the root cause of most incidents. Many cite a 2014 IBM Security Services report, "Cyber Security Intelligence Index," which found human error was a factor in 95% of successful hacks and security incidents.

Despite the flurry of risks out there, organizations can help prevent incidents or lessen the impact of successful attacks by educating their workers on how to identify cybersecurity risks, avoid potential attacks and properly respond in an actual cyber event.

What should a strong security awareness training include?

An effective cybersecurity awareness training program should reach workers with varying degrees of technical aptitude and cybersecurity knowledge with different learning styles.

It should be multifaceted, with a collection of lessons and learning opportunities so it engages everyone in the company, regardless of their knowledge levels and learning styles. Additionally, a comprehensive program has role-based content, delivering instructional material tailored to the needs of an employee's role and even material tailored to third-party stakeholders, such as business partners and contract workers, to ensure those individuals don't put the organization at risk.

Effective programs have several key components:

• Educational content should range from written material to interactive online learning to gamification sessions so workers can access information in formats they learn best, whether it's audio, visual, etc. Content should include lessons with varying degrees of complexity so workers can access the most relevant information according to their roles.
• Follow-up and ongoing messaging reminds workers of the company's cybersecurity policies; delivers short refreshers on how to identify and avoid security risks and violations, as well as how to handle possible security problems; and alerts them to any emerging threats.
• Testing through simulated attacks, such as phishing attempts, surveys and other assessments, evaluates how well the enterprise workforce adheres to the organization's cybersecurity policies and identifies any individuals who fall short in following cybersecurity best practices.
• Measuring and reporting worker involvement in training programs, as well as the effectiveness of the organization's awareness training, help identify any weaknesses in the program and areas in need of strengthening.

A good training program typically has a mix of the following:

• formal education, such as structured lessons and mandatory instruction;
• informational learning opportunities, such as weekly emails containing tips, policy updates and cybersecurity news updates;
• experiential sessions and even gamification, where workers are required to work through simulations and scenarios to test their understanding and reinforce their training so they're better prepared to handle real-world cybersecurity challenges; and
• security champions, workers who have become particularly skilled at understanding cybersecurity and are willing to teach and promote cybersecurity best practices among their colleagues.

How to create and implement a successful awareness training program?

The chief information security officer (CISO) and the organization's cybersecurity team should be leaders in crafting a cybersecurity awareness training program and should also enlist other executives to gain support and to understand the most significant risks the proposed program should address. Those risks should align with the organization's overall cybersecurity strategy CISOs develop in conjunction with C-suite colleagues.

CISOs should work hand in hand with their human resources (HR) department, which typically lead workplace training and development, to ensure the organization has a well-formed and effective program.

Workers tapped with developing the program should incorporate the specific threats facing their industry and their organization when developing a training program since these can vary across verticals.

The security awareness training program should be comprehensive, starting with rudimentary lessons and moving up to advanced materials. It should also include an assessment process to help organizations identify a worker's level of cybersecurity awareness and subsequently create a learning pathway for them.

Additionally, organizational leaders need to consider that different roles within the organization face different risks and threats while developing the training program. For example, an entry-level employee with limited access to sensitive data and core IT systems likely encounters fewer risky scenarios than a high-level executive who works with the organization's proprietary information and financial systems or a senior IT employee who is authorized to work on the core technologies that enable the business.

Larger organizations with significant HR departments may be able to develop and deliver their own awareness training program or at least supplement it with outside resources.

Many organizations choose to outsource most or all of the training, however, considering this the most effective and efficient way to implement necessary education for its employees.

Either way, organizational leaders should have mechanisms to measure whether the training is effective at both the enterprise level and at the individual employee level.

How often should security awareness training occur?

Cybersecurity experts agree cybersecurity awareness training should be ongoing within the enterprise. Ongoing training helps workers build a security mindset, helping them stay diligent, and gives organizations opportunities to educate workers on new policies and procedures and alert them to the new and evolving threats and risks they may face.

To best achieve this, organizations should establish a schedule to determine what training to deliver to what employees and how frequently training must occur.

Security awareness training should ideally take place when a new employee joins the company as part of a mandatory onboarding process. Many experts also advocate for at least an annual certification process for employees, with a combination of formal and informal lessons available throughout the year to keep security best practices fresh in mind for workers.

When assessments, evaluations or testing indicate a lapse in best practices, organizations should consider mandatory training for the whole enterprise or for individual employees.

Many organizations opt to use a learning management system to make training content easily and readily available to employees.

Security awareness training costs and resources

The costs of an enterprise security awareness training program vary.

Organizations using low-cost or free external resources, in combination with their own existing staff, to create a basic educational program could spend just thousands annually.

The more expensive option -- approximately hundreds of thousands of dollars annually -- would be for organizations with dedicated cybersecurity awareness trainers on staff to work with leading providers to deliver comprehensive, customized lessons on a continuous basis, coupled with security team testing and assessment programs.

Various vendors also sell cybersecurity awareness training resources and services, as well as government and nonprofit organizations that provide free and low-cost information in this space.

Resources include the following:

• Cybersecurity and Infrastructure Security Agency;
• SANS Institute;
• ISACA, a professional association for IT governance;
• National Institute of Standards and Technology and its National Initiative for Cybersecurity Education, offering free and low-cost online cybersecurity content; and
• Amazon cybersecurity awareness training available for free as of 2021.