Does security awareness training really matter, or is it a frill? Consider this: Last week, DefensePoint Security, a Virginia-based government cybersecurity contractor, announced its employees’ W-2 tax data had been compromised. But the company wasn’t hacked. It turns out that someone inside the company fell victim to one of the oldest cybersecurity ruses, the phishing email.
Phishing has also fueled the rise of the Ransomware as a Service (RaaS) platform, with thousands of business facing the decision whether “to pay or not to pay,” thanks to an unwary employee—even a CEO—getting caught in the phisher’s net.
If it can happen to a cybersecurity company, it can happen to yours. Since the weakest link in infosec security is almost always the human link, the best defense against attack is a security-aware culture that permeates the entire organization. Security awareness training is the key to creating that culture, and spreading the security team’s culture outward to every member of the organization.
Making Security Awareness Training a Financial Priority
Most companies struggle with aligning the stated priority of training with their willingness to spend money on it. In our recent 2016/2017 Security and Risk Management Benchmark and Maturity Model, we found that "employee awareness and insider threat" is the second-most-critical challenge cited by participants, with 29.4% citing it.
Yet when it comes to what firms are actually spending money on, security training ranks a distant fifth, with just 11% citing it as a budgeting priority, after analytics, threat detection and intelligence, monitoring, and endpoint security.
This misalignment is a bit part of the reason that cases like DefensePoint's still occur. Even sophisticated companies can pay lip service to training, while failing to invest in it.
"You have to recognize that employees are the first line of protection," says Marie White, CEO, president, and founder of Security Mentor, a security awareness training provider. And that means, White says, that business executives need to recognize that investing in security awareness training can deliver measurable benefits.
Training Assessment Phase
As with any initiative, establishing a security awareness training program involves five phases: Assess, Plan, Develop, Implement, Follow up. We’ll cover the rest of the phases in an upcoming blog, but for now, the assessment phase is important because it is critical in justifying the training. (If you can't wait, check out our recent research note, Security Awareness Training).
The assessment phase enables the security team to identify the organization’s most-pressing security needs, and to document the scope and scale of a proposed training program. To reach the end product of multimedia training “modules,” infosec teams must uncover the areas of greatest need, and agree upon appropriate metrics to measure improvement in security awareness and behavior.
The first step is to interview security principals to uncover:
- A prioritized set of security issues
- Examples of existing challenges
- Appropriate metrics for improvement
Additionally, assess the security needs and awareness levels of all non-IT staff. Some typical topics include: Email security: Best practices for avoiding phishing and other email attacks; APT awareness: Insight into advanced persistent threats (APTs); Password and authentication best practices; User device protection. These are just a few examples of typical challenges facing employees at most organizations.
Once the infosec team has identified and agreed upon the scope of a proposed training program, the team has a basis for justifying a training budget. Now your team is ready for the next phase, planning.