Security Awareness Training – are organisations doing enough?

Security awareness training is a vital way to prepare employees for the threats that surround them. After all, your employees are your cyber security team’s first line of defense. The strength of your cyber security program depends on the security awareness your employees possess. In order for you to establish a security aware culture, it’s essential that you have an ongoing commitment from everyone: managers, all departments, and people in your organisation. It essentially means everyone needs to be on board, aware of what goes on, and supportive of the effort. An effective security awareness training program must be informed by regular training sessions, not just a single quarterly email about phishing.  The key benefit of security awareness training lies in the fact that it equips employees with the knowledge they need to combat these threats. Continue reading to find out if your organisation is doing enough with your security awareness training program.


What is Security Awareness Training

Security awareness training is a strategy used by IT and security professionals to combat risk. These programs help users and employees understand the role they play in helping to combat information security breaches. Effective security awareness training helps employees understand proper cyber hygiene, the security risks associated with their actions and to identify actual or potential threats and vulnerabilities. Training is also designed to help decrease the likelihood of a data compromise.

Security awareness training is extremely beneficial to all employees, at every level of the organisation. When employees receive security awareness training they are better able to identify when an attack is taking place and respond rapidly. They can also alert others who may have witnessed a cyber attack.

Security awareness training is a vital way to prepare employees for the threats that surround them. The key benefit of security awareness training lies in the fact that it equips employees with the knowledge they need to combat these threats. Employees cannot be expected to know what risks exist or how to respond to them on their own. They need to be taught what their employers consider safe or acceptable, what clues to look for that indicate threats, and how to report suspicious activity so that it can be addressed.

The State of Security Awareness

With many people likely to continue working remotely in 2021, Ronan Lavelle, CEO at Elasticito, believes it is inevitable that cyber attackers will be targeting consumer-grade home networking vulnerabilities. “Vulnerability exploitation such as this will negatively impact organisations that have not yet adapted their network security posture to align with the new worldwide hybrid work scenario”, says Lavelle. “Security awareness is bound to become an important topic in 2021, with organisations focused on strengthening the human element of their cyber risk programs”.

Security awareness training is vital because of the ever-changing nature of cyber threats. What’s more, employees may unwittingly let attackers in via vulnerable work environments and personal devices. Hackers know people can provide vulnerable targets to make their exploits succeed.

According to the SANS 2021 Security Awareness Report, over 75% of security awareness professionals spend less than half their time on security awareness, implying awareness is too often less than a full-fledged effort. The same report notes that the majority of program leads are technical in nature, lacking soft skills, such as communications and marketing, continues to limit organisations’ ability to effectively engage their workforce. The data show that security awareness responsibilities are very commonly assigned to staff with highly technical backgrounds who may lack the skills needed to effectively engage their workforce in simple-to-understand terms.

OneDrive Phishing Email – Image via Vade

Creating a Culture of Security Awareness

The COVID-19 pandemic has forced organisations to change the way their employees work, communicate and share information. This has put an enhanced emphasis on providing employees with a cyber secure and aware remote working and learning environment. Cyber security best practices need not stop when employees are working remotely or in a virtual space.

Organisations can do a lot of things to keep themselves protected, but it’s important to understand the risks they face. The best protection comes from good cyber security policies and technology protection. Everyone should know how to spot scams and learn what to avoid. This knowledge of security awareness is the cornerstone of staying safe.

In many organisations, security awareness training is often an afterthought rather than a key business initiative. Often organisational leaders relinquish control before making improvements, effectively sacrificing security in the name of efficiency. Without strong leadership and the right personnel in place, implementing a comprehensive cyber security strategy just isn’t possible.

The idea that organisations need to change their corporate cultures to genuinely make security awareness part of their profit and loss statements might be too Pollyanna for some. This might be an admirable goal, but it doesn’t have to be set in stone. What it does, however, is necessitate a slow and steady change. It’s better to take smaller steps toward gradual change rather than to do nothing and fall victim to cyber rime. Organisations need to offer continuing cyber security awareness training so employees remain vigilant. A top priority is the ability to identify social engineering attacks such as phishing, phone scams, and impersonation calls.

The right training must then be delivered to the right people, based on their role and the kinds of data and access they’ll be exposed to in performing their work. To make it meaningful, provide real-world examples and stories, such as those found in the annual Verizon Data Breach Investigations Report (DBIR), that are relevant and relatable to their work experience. Training that presents scenarios that employees will encounter in their workday and home life makes the lessons real and not just a list of rules to follow. This approach helps build critical thinking skills and promotes how to think about approaching a risk and not simply “do this, don’t do that”.

When security leaders set goals that are realistic and show a willingness to experiment with new training methods when traditional approaches fail, a culture of cyber awareness is something completely attainable.

Fortunately, employees can take online security training at home just as easily as they can in an office. Some of the best training online is available through the SANS Institute, a trusted source for cyber security certification and research.


Example of Phishing Email with Malware – Image via Vade

Security Awareness Training – are organisations doing enough?

There is no doubt that organisational security awareness has risen substantially over the past several years. However, having a security awareness program is one thing; effectively running such a program is another.

Cyber criminals have figured out how to manipulate human nature to coerce employees to do their bidding. It is time for security leaders to better understand the human element of cyber security and use these insights to protect their organisation from cyber attacks and increase employee productivity.

Whether you’re just starting your journey toward establishing a security awareness initiative or looking to upgrade an existing program, the Elasticito team is here to assist – contact us here.