Why Security Awareness Training Matters

Introduction

The past seven years have seen a dramatic upheaval in information security. The volume of malware attacks worldwide jumped from the millions to the tens of billions. Small, disjointed threat actors banded together to create ransomware and Ransomware as a Service (RaaS) firms which are highly organized and highly profitable, driving a multi-trillion-dollar global cybercrime industry. Businesses can—and do—spend hundreds of thousands to millions of dollars on infrastructure and services to thwart cyberattacks. If not paired with an effective cybersecurity awareness training program, that spending may amount to nothing more than security theater.

What does training accomplish? 

In the broadest sense, training is an effort to impart knowledge to drive change. In the corporate world, staff may sometimes feel inundated with training: HR training to motivate appropriate behavior in the workplace, professional training to improve skills, compliance training to drive appropriate behavior with internal requirements, and other training. 

Managers and senior leadership may also feel lost in the haze of training they must take, create, review, and enforce. Training overload and burnout are real concerns in the corporate environment, and everyone is susceptible to that burnout. 

Information security awareness training can often seem like just another screwdriver in the toolbox—you bought it for a reason, and there was a specific need. Still, you can’t remember what that was. Now, it just languishes alongside all the other training that feels the same. 

Security training vendors aren’t doing any favors in this space. There’s a panoply of vendors selling security training for all facets of information security and billing, each as the most essential and critical training to an organization. 

What really matters?

Cyberattacks are at an all-time high. The size and scope of the threat landscape are only growing and are projected to grow from ten-to-twenty-fold over the next three years.

The tangible impact of that growth on business is significant. All cybercriminals are looking for ingress into an organization’s finances. There are multiple ways to access that: 

• Supply chain fraud – someone sends fraudulent bills or invoices to many organizations with the hopes that some will pay

• Business email compromise of a supplier or client – a vendor or client is hacked, and their email is controlled by a cybercriminal who uses that trust relationship to redirect funds, deliveries, etc. 

• Phishing emails to deploy ransomware and/or malware – a malicious payload is sent to an organization to take control of internal resources, encrypt data, abscond with data, and leverage the nefarious work for ransom or use account credentials to steal data and money

• Social engineering attacks to con someone at a helpdesk – someone calls in to gain information about an organization’s operation and access critical resources.

• The list goes on. 

Those attack modalities have a common thread: they all rely on deception to con an employee to achieve a goal. Empirical research backs that: as of 2018, the primary attack modality was some fraudulent email, typically a phishing email.

Threat actors look for entry points of resistance. Because humans are the weakest point of entry into an organization. Organizations spend hundreds of thousands of dollars bolstering their defenses and building early detection systems inside and out. For organizations, their staff is the point of least resistance. 

What are the Consequences?

$4.35 million, on average. IBM quotes that amount as the average cost of a data breach worldwide in its 17th Cost of a Data Breach Report published in mid-2022. IBM also notes the impact of the threat of staff compromise, with credential theft/compromise and phishing emails being the top attack vectors in 2022. 

Depending on an organization’s industry and services, there are more significant consequences than financial costs. Some organizations may suffer considerable reputational harm—and consequent business loss—due to a security incident. 

Other organizations may hold some of the most sensitive data that people have: information about their financial livelihood, healthcare records, and irreplaceable personal information. A breach of that information may be catastrophic to the organization’s clients and ruin their lives and livelihoods. 

Why Should Security Awareness Training Matter?

Security awareness training matters because it makes an organization more resilient against attack. Furthermore, it plugs a significant gap common to all corporate environments: human elements of compromise. 

Just purchasing and deploying training isn’t enough, though. Like effective expenditures in other information security domains, training needs to address critical areas of vulnerability and be tailored to your organizational needs.  

Addressing critical areas of vulnerability is relatively straightforward: there’s a wealth of information available through reputable studies highlighting how threat actors use human vulnerabilities to breach a corporate network. Security vendors specializing in training provide vast swaths ranging from phishing to secure coding, architecture, firewall management, etc. If you can imagine it, there’s probably a training module somewhere. 

What is much less straightforward is tailoring that training to organizational needs. Some of those decisions are obvious. For example, an organization that primarily uses Software as a Service product, also known as SaaS, isn’t likely to meaningfully benefit from intensive secure coding training. On the other end of the spectrum, all organizations benefit from phishing training, given phishing’s prominence as an attack vector. 

Where organizations really need to work is the middle ground: the areas that are materially impactful to an organization’s security posture and can help mitigate serious threats. Identifying those threats requires a great deal of effort: evaluation of technical, administrative, and physical risks to identify areas of critical need. That can involve internal and third-party risk assessments, security telemetry monitoring, and evaluation of other data sources for a chance. Organizations are well served by evaluating risk, identifying risk criticality, and patching that risk through mitigation and remediation, including training. 

To clarify: I’m not suggesting creating a compliance and risk management program to facilitate training. I suggest creating a compliance and risk management program because it’s the bare minimum to secure your organization from increasingly motivated and sophisticated cyber threats. I’m also suggesting using that infrastructure and program to inform your training activities, which should be part of that overarching domain. Training should be part and parcel of your risk management function, highlighting critical facets of your security posture to your clients. 

Why Should Security Awareness Training Matter To Your Clients?

Throughout this article, we’ve been building to the titular question: why does training matter to your clients? There’s a reason for that: this article has been outlining the criticality of information security training, what it should mean to your organization, and why information security training is differentiated from many other forms of training. 

Let’s recap:

• Training drives beneficial procedural and behavioral change.

• The prevalence and sophistication of information security risks are rising sharply with no signs of abatement.

• The consequences are extreme and expensive.

• Security awareness training drives beneficial change in your organization to mitigate risks and avoid the consequences of those risks.

That recap should also reveal why your clients should care about security awareness training. Your clients entrust you with their information to provide goods and services. In many industries, they entrust their lives and livelihoods to you. There is no quicker way to erode trust than a breach of that trust by exposing their information to the world. Exposure directly impacts their lives and livelihoods for the worse.

The converse also holds true: there is no better way to build trust than highlighting how you secure their most sensitive and precious information. If your clients know that you provide your staff with information security training, they are confident you’ll maintain their data safely. Even better: if your clients know that you’re engaging in a risk-based approach to information security training, it demonstrates that you’re protecting their information to a high degree and with sophistication. You’re signaling that you have a whole program focused on data maintenance and management informing your training program—and likely other compliance activities. 

How Do You Let Your Clients Know About Your Training Program?

You can let your clients know about your training program in numerous ways. Depending on who your clients are, they may request that information from you as part of the procurement and contracting process. 

Many large corporate or institutional organizations implement Third Party Risk Management (TPRM) evaluation programs. A TPRM program is focused on identifying third-party risk. Typically, those programs involve perimeter scans of a service provider’s public-facing environment, a service provider’s reported data breach history, and evaluations of a service provider’s security controls. A modern and sophisticated information security threat training program is included in that security controls evaluation. 

Corporations and other institutional organizations may also insist on the existence of a training program via contract and elaboration regularly about the details of that program. Business and cyber insurance providers fall into this group. Insurers, are faced mainly with increasing costs due to organizations failing to implement industry-standard information security controls, which require organizations to demonstrate their compliance to maintain coverage or receive a payout in the event of a catastrophic cyberattack. 

Communication about your training might be more difficult if your clientele is mainly individual. Most consumers understand a data breach and its impacts on their data. Most consumers don’t understand the importance of a solid risk-targeted training program. It is essential to emphasize the controls you’ve implemented and the safety benefits it brings to the table in plain language.

Here are some recommendations for how to communicate aspects of your security program:

• Emphasize integrity and how that impacts your clients

• Discuss your safety-oriented culture 

• Highlight your focus on staff development and customer service

This is a partial list, and creativity in this space will help!

This communication also turns your cybersecurity program from a cost center into a revenue center. By flipping the script from cybersecurity as insurance to cybersecurity as a business enabling and supporting function, you can show your clients how you respect their data and take their data custody concerns seriously. You may find that you’ll draw security-conscious clients and recoup some of your investment in cybersecurity.

Conclusion

Information security awareness training is a crucial component of any risk management program. It helps inform your staff about what to do, when, and how to defend your organization from costly cyberattacks. Security awareness training is best paired with a robust risk management program that focuses training on specific gaps or vulnerabilities in organizational controls. Your training program is critical to clients because of what it represents, which is a robust and sophisticated approach to information security risks and data management. Making sure you’re communicating that in the right way to the right audiences is a must if you want to further capitalize on your cybersecurity defense efforts.