What is Security Awareness Training?
Security awareness training is training for individuals to identify and respond appropriately to information security threats. Of course, if that were it, security awareness training wouldn’t be a rapidly growing multi-billion-dollar industry. This article will cover the human threat landscape, suggestions about what to include in a modern security awareness training program, and tips you can use to improve security awareness training efficacy.
The Human Threat Landscape
Cybercrime is increasing at alarming rates every year. Long gone are the days of the stereotypical late-90s to early-2000s cybercriminals: nerds sitting in their parent’s basements banging away at keyboards. Cybercrime is a multi-trillion-dollar industry, projected to grow to $10.5 trillion in a couple of years. Cybercriminals are sophisticated, highly-motivated threat actors, and the most successful are sponsored by nation-states or work in large billion-dollar criminal firms.
Security awareness programs are implemented by businesses to train their employees to combat those firms by encouraging safe and secure use of computers, information, email, and the internet. Businesses are highly incentivized to do so. Numerous types of attacks start with an organization’s most valuable—and most vulnerable—resource: its people. Here are some of the most common cyber threats to individuals and businesses.
“Phishing” is an attack involving a cybercriminal sending emails to individuals en masse with the hopes of catching one of them off guard. “Spearphishing” is a variant of a typical phishing attack where specific individuals are targeted with phishing emails because of their position, wealth, fame, etc.
Phishing attacks commonly manifest in a few different ways:
- An urgent request for information (typically personally identifiable information or banking information) or money
- An email with an attachment that, when opened, deploys malware on the target computer – most ransomware attacks, cyberattacks that cripple businesses by encrypting information and making it inaccessible without payment, is started by an employee succumbing to a phishing attack containing a malicious file.
Phishing and ransomware attacks cost individual businesses millions of dollars annually—approximately $1500 per employee in 2021—with a total cost of many billions of dollars worldwide annually. Those figures don’t account for individual compromise and loss, which is difficult to quantify due to a lack of comprehensive reporting.
Business Email Compromise
Business Email Compromise is a type of attack where a cybercriminal gains control of one company’s email account(s) to get information or money from another company or set of individuals. For example, a cybercriminal may take over emails from a payment processor to redirect payments to themselves.
Through the ordinary course of use, employees or individuals may visit compromised websites and intentionally or unintentionally download malicious content. Malicious content may also be delivered through ads, popups, or other content and automatically downloaded by a computer.
Social Engineering Attacks
Social engineering attacks prey on innate trustfulness and helpfulness to have someone provide information, money, or goods. Phishing and Business Email Compromise attacks can be considered a type of social engineering attack. Social engineering attacks have a variety of flavors and are characterized by a cybercriminal leveraging a trust relationship to perform an attack.
General Illegal or Unsafe Use
Some content is entirely illegal to create, distribute and download. Other content may not be illegal, but the modality of acquisition may be illegal (e.g., peer-to-peer sharing of copyrighted content). Additionally, that content may contain malicious code (e.g., malware). This content may create liability for the person doing the activity and the business they work for if done on a corporate network.
What Should a Modern Security Awareness Training Program Cover?
A modern security awareness training program should provide, in plain language, an understanding of:
- Why cybersecurity protections are in place
- How to spot threats
- How to leverage cybersecurity protections
By covering those topics, individuals are not only informed that they ought not to do certain things. They’re told the criticality of their role in information security, the importance of their role, and how to defend against cyberattacks effectively.
Building individual participation is key to defending against cyberattacks. Businesses are operated by people, all of whom are susceptible to compromise. Cybercriminals typically pursue the most effective modalities for compromise; they only make money if they conduct a successful cyberattack. The rise in human-focused modalities of compromise demonstrates the overall efficacy of human compromise. People feel more personally invested in cybersecurity by building individual participation and emphasizing the criticality of individual participation in cybersecurity.
The key to building that individual participation is informing people why cybersecurity protections are in place. There are typically two primary areas of focus on the “why” of cybersecurity:
- What cybersecurity threats exist?
- What are the consequences of a successful attack?
An overview of the different cyberattack modalities is critical to building a foundation for the training—what an organization is defending against—and provides a solid background for spotting and avoiding those threats.
There may be threats not covered in training. That’s ok. No one has an exhaustive list of cyberattack modalities. Frankly, the threat landscape develops and shifts quickly enough that it may be impossible to have one single canonical list of threats.
Additionally, providing a comprehensive list of threats will be an information overload for individuals taking the training. No one really needs to know about esoteric cyberattack modalities that might be a successful one in a million times at organizations that are completely unprepared for a cyberattack (which would be a feat in a world where basic cybersecurity safeguards are built into operating systems and provided by internet service providers by default). Security awareness training that focuses on the top five threats in a relevant industry will go a long way in upgrading an organization’s security posture.
The consequences of a successful attack should cite financial and reputational damage. According to IBM, the average cost of a data breach is $4.35 million. Organizations may have hundreds, thousands, or millions of records containing their customers’ most sensitive information. Livelihoods and reputations can be destroyed because of data breaches, and there are too many examples of precisely that happening through identity theft. Setting an expectation that all employees are personally responsible for the safety of that data establishes severe and definite responsibility.
The flip side of that, then, is empowering individuals to identify and avoid threats. The best way to identify threats is to know how they operate. Provide examples of phishing emails, let people know that malicious websites exist, and inform the reader what general safeguards exist at the organization. Some examples of safeguard exposure may include:
- Are browser sessions sandboxed?
- Is there a way to encrypt email?
- Are there general obligations for the safe handling of information?
Training that provides essential security information without fundamentally compromising organizational safeguards is critical to people recognizing an attack and hopefully stopping it before it impacts themselves or the organization.
Once safeguards are identified, let people know how to use them:
- Is there a way to report phishing emails?
- How does someone inform information security or IT staff of odd computer performance issues?
- Can people reset their password on their own, or do they need to call IT support?
It’s also a good idea to define and encourage folks to use administrative safety tools. One of the most effective, that I’m sure everyone’s heard by now is: “if you see something, say something.” Other safety tools may provide steps for incident escalation: identify, triage, report, and respond. The sooner that the staff closest to the start of a cyberattack know what to do and how to do it, the more effective and rapid the response.
How can you improve a security awareness program?
The training program described above outlines general training principles. There are numerous ways to make those principles stick better and improve responsiveness and outcomes. This is by no means an exhaustive list, but here are some ways to improve the effectiveness of a security program:
Don’t be bashful about communicating
The best way to get a message out is to get the news out. Repetition is your friend. It’s great to have annual security awareness training. It’s even better to make that training more regular. Keeping messaging fresh but repeating core principles will also help solidify good cybersecurity awareness. Send out a newsletter, and email, publish an internal blog, put up posters, run brown-bag lunches, talk to organizational leaders about cybersecurity messaging to staff, etc. Anything you can do to get the word out will go a long way to inform about cybersecurity awareness and help build a culture of safe behavior.
Don’t worry about overcommunicating
The great thing about a shifting cybersecurity threat landscape and media sensationalism of high-profile cyberattacks is that every attack is different. At the same time, the impact remains the same: businesses lose money, and people’s lives are made more complicated. Given the volume of attacks, it’s convenient to use those to reinforce the message that cybersecurity is everyone’s responsibility and anyone can be impacted. It’s very difficult to become desensitized to something personally relevant and over which someone has personal responsibility.
Train, Train, Train
The key to a truly successful cybersecurity awareness training program is constant drilling on incident management and business continuity processes. No matter how many training materials are distributed, how much cyber safety is communicated, or how significant the depth of defense of cybersecurity infrastructure is, succumbing to a cyberattack is a matter of “when” and not “if.”
Against that backdrop, organizations must ensure that the first time they’re testing their incident response and disaster recovery processes isn’t during a frantically high-pressure situation like an active cyberattack. The cost of downtime and reputational impact is too significant not to prepare for the eventuality of an attack.
Organizations are generally recommended to conduct at least one cybersecurity incident tabletop annually. The focus of that tabletop should be incident response, communication, and disaster recovery. Key questions to ask during that exercise may include:
- What do our processes look like?
- Are key stakeholders aware of the processes required in security awareness training?
- What’s the path of escalation within the organization?
- Who makes the decision to pay a ransom?
- Who makes the decision to disable infrastructure to isolate the spread of an attack and purge the malicious code?
- What federal, state, and internal reporting requirements are there?
- How are you communicating internally?
- How do you communicate with the public at large?
- What does business continuity and attack recovery look like?
- What services can be provided during an attack? What cannot?
Ideally, an organization is testing subsets of those processes with parts of the organization more frequently than annually. Even more ideally – those tabletop exercises are paired with a risk management program that helps guide activities based on areas of significant risk.
Conclusion and Key Takeaways
If there’s one thing you take away from this, it’s that solid security awareness training stops cyberattacks. If there are two things you take away from this, it’s that cyberattacks are expensive and potentially catastrophic, and there isn’t such a thing as “too much preparation.” Cybercriminals are highly incentivized to steal from individuals and businesses—the stakes are trillions of dollars worldwide. The best defense is knowledge: if employees know what to look for, they can stop a cyberattack before it starts.