Security & Awareness Training: The Key to Shifting Security Culture in 2021

Security and awareness trainings are a vital part of protection across all facets of an organization. Employees must be made readily aware via educational efforts of the “do’s and don’t’s” that allow businesses uninterrupted continuation without the threat of malpractice. Such training is applicable to not only cybersecurity, but “physical security and how employees can keep themselves and loved ones secure." To ensure success of training practices, utilizing relevant content will help to keep employees engaged and more likely to adhere to best practices. Content that is murky and dense will lead to boredom and subsequently a loss of attention. Trainings that require active participation or testing prove to be more useful. Additionally, trainings should be held frequently enough to ensure employees remain up to date with security proceedings.

Although the majority of employees are moving away from a traditional office environment, hacktivists and other malicious actors have not given up.

These security and awareness training tips resonate even today, although the landscape of teaching is changing given the world’s current climate. COVID-19 has evolved the way companies work, forcing employees to adapt to a work life that exists within the confines of their homes. As such, security and awareness training practices have evolved to accommodate an employee base that sits scattered around the globe. In the beginnings of the pandemic, over 4,000 malicious COVID-related sites have been strewn across the internet, giving way to exposure and compromise. Not only have these attacks been prominent as of late, but cybersecurity experts have predicted that “a cyber attack incident will occur every 11 seconds in 2021. This is nearly twice the rate in 2019 (every 19 seconds), and four times what it was in 2016 (every 40 seconds)."

Cyber attacks come in many different forms, from ransomware and malware to the most prominent type of attack: spear-phishing. Kaspersky defines spear phishing as “an email or electronic communications scam targeted towards a specific individual, organization or business." Such communications tend to mimic the naming conventions and formatting of a particular organization, lending themselves to familiarity in the eyes of the recipient. This falsified structuring oftentimes leads to vulnerable employees clicking on unsecure links and inputting their information. Additionally, these communications often create a ruse that leads to employees entering sensitive information into a falsified link. For example, some emails might read “Urgent: Your Password Will Expire Today,” prompting unsuspecting employees to compromise their organization via the provisioning of their credentials.

When presented with a world that is increasingly being encroached on by malicious activists, how are organizations, and particularly CISOs, to respond?

Surprisingly enough, the answer lies significantly in security and awareness training programs. Per Security Boulevard, “implementing cybersecurity awareness training amongst employees significantly reduces human error, mitigating up to 90% of cyber risks.” It is evident that providing employees with the tools and know-how to protect themselves against cyber crime allows the same security for the organization as a whole. The question then becomes: How do I, as a CISO, provide my employees with sufficient training and awareness protocols, especially in the face of a global pandemic?

The pandemic has left workers to their own devices, performing day-to-day tasks from their homes without the usual supervision that comes with an in-office environment.

Creativity needs to be a frontrunner for training considerations to allow for a structure that is just as effective as it would be in-person.

As previously mentioned, successful trainings are comprehensive and work to keep employees engaged, especially when they are held remotely. Such trainings may consist of CISOs and other security leaders conducting presentations or workshops to the larger employee population. Using assessments following these workshops provides another resource for employees to test their comprehension of what they learned, as well as to gage which employees may need an additional understanding to fully grasp the covered topics. Assessments can range from end-course exams to an organization’s information security department sending fake phishing links to account for those employees who fall prey to the attack. Furthermore, incident response tools such as a Threat Alert Button “empower the employees to report any suspicious-looking emails immediately”. Such tools, while seemingly minor, provide an ever-existent presence in employee inboxes that keep attacks like phishing top of mind.

While there is no singular route that leads to successful security and awareness training conventions in a time of virtual learning, there are many tips and tricks that CISOs can employ that will allow for productive, all-inclusive strategies. It is important for an organization to adjust with employees to this new environment through transparency and honest communication, opening the doors to the possibilities of triumph within this virtual reality. We are all learning how to navigate this new working world that has presented itself to us, and by using adaptive security and awareness training practices, we are learning how to make this new working world a safer one.

K logix works with security leaders to ensure they gain support from the business and establish a security culture within their organizations. We help CISOs and security leaders gain justification, business knowledge, and technical aptitude to address shifting priorities. We meet you where you are when it comes to security awareness and offer customized training programs that are tailored to your organization and address your business’s specific challenges and needs.

Contact us for more information on how we can work together to strengthen your program. 

Want more? Read our latest Feats of Strength issue, where leading CISOs share how they measure success not only in achievements, but in lessons learned from an unprecedented year.