How does Security Awareness Training Reduce Risk?
How does Security Awareness Training Reduce Risk?
Introduction
There are numerous tools to include in a security toolbelt. No single tool is the end-all-be-all of security solutions. A successful security program relies on pulling numerous pieces of software, hardware, and administrative tools to safeguard an organization.
Compiling that infrastructure comes at great effort and cost to organizations. It can represent a significant investment to insure against a catastrophic breach appropriately.
That investment can be completely undermined by one phishing email. Because of that, security awareness training is the most effective tool you can add to your tool belt. It’s cost-effective and operationally effective. It also provides a solid foundation for staff upon which a security program and culture security can be built. Most cyber insurance programs require it for coverage. If you’re a service organization, your clients will likely demand that you have it in place.
There’s a plethora of reasons to invest in security awareness training. There’s no reason not to invest in it—failing to do so is the ultimate case of “penny wise, pound foolish.”
This article will cover how security awareness training is typically developed to reduce risk, how it seeks to accomplish that risk reduction, and what you can do to reinforce that risk reduction. Ultimately, security awareness training is a service that enables safe business operations and can save significant money in the long term.
Security Awareness Training as a Security Foundation
Security awareness training is the platform upon which a successful security program and a security-aware culture are built. It addresses critical needs in an organization by closing some of the most significant risks to an organization: staff compromise.
Security awareness training, broadly, is designed to address systemic environmental risk. It accomplishes that by focusing on the human indicia of compromise—many threats in a corporate and home environment leverage human behavior for their success. Typically, threats will prey on human fight-or-flight behaviors by encouraging urgency or providing over-the-top threats that people are generally ill-suited to address.
Security awareness training addresses those reactions by providing a baseline for evaluating those situations. Most security awareness training focuses on human judgment and the propensity for that judgment not to be finely tuned for specific conditions. It helps adjust that judgment to make people more adept at spotting threats and avoiding them.
The primary goal of security awareness training is to show people how to avoid engagement altogether. It also provides tools for removing oneself from a situation once engaged with a potential security event or responding to an actual and ongoing security event.
Security Awareness Training Provides a Baseline for Users’ Understanding of Cybersecurity
Security awareness training essentially achieves its goals by identifying and baselining what cybersecurity is. It does so in a way that emphasizes the criticality of cybersecurity safety practices, the consequences of not following cybersecurity safety practices, and (most importantly) how to engage in safe practices.
Criticality of Cybersecurity Safety Practices
Most training provides a foundational explanation of why an organization engages in cybersecurity and cybersecurity’s place in the organization. Typically, this segment of a training program seeks to establish authority by citing other high-profile cyberattacks, potentially within the same industry, to highlight the damage a cyberattack can cause.
Consequences of Not Following Safe Practices
This segment of a training program may also highlight the consequences of an attack focusing on a specific industry. Examples of what that could look like are:
-
Financial Sector: Cyberattacks leading to significant financial loss for a firm and/or its customers; loss of personally identifiable information requiring credit monitoring
-
Healthcare Sector: Cyberattacks cause patient deaths or diminished outcomes; reputational harm damages the bottom line; significant HIPAA fines from CMS; loss of Joint Commission accreditation; loss of personally identifiable information requiring credit monitoring
-
Utilities Sector: Cyberattacks cause loss of life or injury, significant impacts to critical services, and loss of personally identifiable information requiring credit monitoring
Establishing a clear operational case for why security awareness and cybersecurity are important establishes a personal connection to an event. In doing so, it instills a sense of responsibility and encourages participation. Ideally, that would advance involvement in training and improve general cybersecurity outcomes.
How to Engage in Safe Practices
The majority of the training, then, should focus on the adoption of safe practices. Typically, this involves an overview of generally safe operations, like:
-
Physical security: keeping clean desks, not letting people look over your shoulder, watching for tailgating at entrances, etc.
-
Access security: locking the computer when you’re away, not sharing your username and password, password complexity requirements, etc.
-
Email security: how to avoid phishing emails, how not to communicate sensitive information, etc.
-
Other security considerations: this can include industry-specific information like HIPAA compliance for healthcare, social engineering attacks for customer service, etc.
Generally, safe operations, like the highlights above, are vital to keeping your workforce and business safe.
This is the opportunity to highlight the rules of the road with respect to security and to incentivize the workforce to follow those rules. This is necessary for the workforce to understand what constitutes safe or unsafe practices. Remember: most people do not interact with threat actors most of the time. They will not know the telltale signs of an attack or how to avoid it.
The key to this training section is how to evade or address an attack. In most cases, this is an opportunity to highlight incident management and incident reporting processes. It’s also an opportunity to identify to the workforce how they need to respond during an incident.
This is also an excellent opportunity to highlight that the workforce can escalate concerns around phishing, social engineering attacks, or other forms of human-centric attacks. There should be some internal escalation process—whether that’s the ability to report phishing via email, the ability to escalate potential social engineering calls to a manager, or the ability to not respond to perceived attempts at both. Whatever process an organization adopts, its workforce should understand precisely what those processes are and how to follow those processes without fear of reprimand that will disincentivize safe action.
Enhanced Risk Management Topics
Awareness training can be more effective by focusing on specific, high-profile topics. Typically, those topics are identified based on threat commonality: the more prolific a threat, the more return on addressing that threat directly. Over the past couple of years, a couple of major human-centric attacks have been widely prevalent. That is a trend that only seems to be increasing in commonality.
Phishing
Phishing is a kind of attack where a cyberattacker sends out hundreds or thousands of emails with malicious links, attachments, or credential-gathering links. The cyberattacker relies on urgency or routine activity to catch an end user off-guard.
Phishing is so successful because of how it operates—as I highlighted above, it preys on a fight-or-flight response. It also preys on an inability to address the situation due to unfamiliarity.
The best way to train for phishing attacks is to illustrate to staff what a phishing attack looks like. By educating and building awareness, you build memory and familiarity around how to deal with phishing.
Many security awareness training programs include telltale signs of a phishing email. They may even share images of simulated or actual phishing emails to highlight what an attack can look like.
Truly successful security awareness training programs pair those examples with “live fire” tests in the form of phishing emails sent to staff by an internal team or phishing training platform. Providing live examples of phishing emails allows staff to interact safely with those emails. In interacting safely with those emails, the staff becomes used to handling those emails in the environment in which they’ll typically interact with external threat emails.
The effectiveness of those exercises can also be increased by pairing positive and negative reinforcement with those exercises. If a workforce member fails the exercise, then they can be informed that they would have been phished and be required to submit to mandatory training. If the workforce member succeeds in spotting the training phishing email, they can be acknowledged and rewarded, reinforcing the good behavior.
In aggregate, numerous training exercises expose staff to secure behavior and help instill a culture of security and safety in an organization. It allows staff to be mindful of safe and secure operations in their day-to-day work. By reinforcing that secure behavior, staff may be well-incentivized to behave more securely and be more aware of security operations in other facets of their work.
Social Engineering
Social Engineering is a kind of attack that relies on the human propensity to address crises (the fight-or-flight mechanism), trust, and rote-recall behavior. Phishing is a subset of social engineering but is called out because of its extreme prevalence: it’s the primary mechanism by that ransomware and malware attacks are delivered.
Outside of phishing, a typical social engineering attack may look like a simple password reset: a user calls a helpdesk to have their password reset. Like many users, organizations may require more critical information to validate their identity before providing a reset password. Their persistence and urgency drive helpdesk support to reset and provide their password.
Training staff on social engineering attacks is critical. If the training involves only phishing, it may be missing vital potential areas of compromise, especially in industries reliant on call centers or other similar public-facing infrastructure.
What security awareness training in this space looks like can differ substantially by industry and use case. Unlike more targeted phishing training, social engineering training is much more difficult to automate. This attack relies on a confident person’s skill and ability to defraud relevant staff. Most organizations don’t employ the skill set needed to train effectively in this space.
Yet, this training is critical. Unawareness of how to address a social engineering attack can be an organization’s downfall: any entry into an organization’s technological perimeter can compromise the entire organization.
The Return on Investment for Security Awareness Training
When evaluating the cost of security awareness training solutions—which run in the hundreds of thousands for even influential organizations—it’s critical to balance that cost with the potential return on investment. Information security, believe it or not, is a revenue and not a cost center.
That may be a shocking and controversial statement. But it’s true! Even though an information security office does not actively generate revenue (depending on the industry and organization), it can facilitate revenue in other parts of the organization.
Security awareness training—and other security infrastructure—can promote Avant Garde’s implementation of different technologies. Good information security should enhance and reinforce cutting-edge technologies, resulting in improved operational efficiency, better data modeling, and enhanced analytics, to name a few use cases. Good information security practices mean you can do more with what you have and approach new problems or business use cases with a potentially lower initial investment, staff utilization through client-based assessments, and significantly lower insurance costs.
Good information security practices are generated through a security awareness and safety culture. Core to that is a solid and robust security awareness program.
Conclusion
Security awareness is a core component of a solid information security posture. A lack of security awareness can completely undermine your investment in information security. Conversely, security awareness can promote your assets by making them more effective. That effectiveness is driven by the promotion of a culture of security. In turn, that culture of security will benefit your clients and ease your burdens in responding to your client’s information security evaluations and cyber insurance. In short, good security awareness saves money and may result in a significant return on investment.