Security Awareness Training: A High-Value Program

This is the Digital Age. As such, an ever increasing amount of our lives are tied up in electronic communications and storage. Cybercriminals take advantage of any weaknesses they can find to pilfer our electronic “valuables,” disrupt our lives, or promote their favorite causes. For businesses, that can result in severely damaging events, and some companies never recover.


hundred dollar bills USD

The cost of fraud-related cybercrime to U.S. citizens in 2021 was pegged at more than $6.9 billion, according to the data released by the Federal Bureau of Investigation. That figure includes extortion, identity theft, and data breaches, but is by no means comprehensive in capturing all losses resulting from criminal activity. Fortunately, there are security measures organizations can use to mitigate the risks posed by cybercrime. One of the top measures is building a robust security awareness training program.


1.0 Cyber Security Awareness Defined

Humans are always the weakest link in any organization’s security. People forget, make mistakes, or fall victim to manipulation from attackers. Hence the need for security awareness training. This training is the education of employees on the most common and applicable security risks for the organization, as well as how to help reduce those risks. Employees should be taught best practices for keeping networks and data secure—and the consequences to the company and themselves if they do not. This includes consequences like losing one’s job, criminal penalties, and/or irreparable harm to the company.


Staff well trained in cyber security pose less of a risk to the overall security of an organization. The business will face fewer financial losses due to cybercrime. Therefore, a company that devotes funds toward security awareness training is likely to avoid unnecessary losses in the same manner as a company that invests in training to reduce quality control issues.


Additionally, organizations having security-aware personnel tend to have a better reputation with consumers. An organization that experiences a large—or repeated—security breaches is less likely to be trusted with customers’ business.


2.0 What Security Standards Require This Training?

The following common security standards require regular security awareness training, with the levels of rigor specified at right for each standard.

Requirements American Institute of Certified Public Accountants AICPA Service Organization Control SOC 2 Communicates Information to Improve Security Knowledge and Awareness International Organization for Standardization ISO 27001 All Employees of the organization and, where relevant, contractors and third-party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function Payment Card Industry PCI Dats Security Standard DSS Employees Must be provided PCI security awareness training upon hiring and annually thereafter National institute of standards and Technology (NIST) Special Publication 800-53 Provides basic security awareness training to information system users including managers, senior executives and contractor Health Insurance Portability and Accountability Act of 1996 (HIPAA) HITRUST Implement security awareness and training program for all members of it’s workforce

3.0 What Are Security Awareness Best Practices?

Security focuses generally take the form of a number of main categories, including:

1. Social engineering (i.e., scamming/phishing) awareness

2. Identification and authentication safety

3. Safe Internet use

4. Media protection

5. Mobile and remote work safety

6. Incident response

7. Privacy and compliance


Some top security awareness practices include:

  • Customization - Different nations, states, and even cities can have different laws and regulations. Employee ignorance of the law is not an adequate defense.

  • Leadership Participation- Anyone not participating in the security training constitutes a possible weak link. Leadership team members typically have access permissions to do the most damage if their accounts or systems are compromised.

  • Establish Baselines-

  • Anti-phishing/social engineering tactics - Employees should be suspicious of emails from unrecognizable sources—and all emails containing links or attachments. The same goes for phone calls, mail, in-person, or other attempts to convince employees to circumvent security or disclose sensitive information.

  • Password practices – Explain why minimum password lengths and complexity requirements are important, and the benefits of using multi-factor authentication (MFA), among other password-centric topics.

  • Physical security – All the digital security a company can buy is easily compromised if malicious individuals have physical access to critical components or interfaces.

  • Measure Success – Leadership, from middle to senior management, needs to be involved in monitoring and measuring security awareness training effectiveness. One highly beneficial component of a security program is to track improvements in scoring over time. Leadership should address occurrences of downward trending scores.

This is an example of PCI Fraud
  • Aim for Engaging and Entertaining training – A dull training session is a surefire way to lose employee interest and reduce comprehension. The use of (appropriate) humor and/or security-related anecdotes are great ways to keep the students engaged.

  • Reinforce Important Messages – Use repetition, within reason, to drive home points of highest importance for your organization. People need to have such information repeated within training and through experiencing a well-designed frequency of training.

  • Support and Motivate – A culture of positivity and support for important endeavors is a better way to bring about change than focusing on punitive and competitive programs.


4.0 How Often Should Security Awareness Training Occur?

Security awareness training should be viewed as a continuous process: a series of programs where there is constant visibility across all roles in an organization. Frequency is generally best determined and handled at the department level, but if that is not possible then an organization would do well to base timing on the personnel with the greatest needs.


5.0 How to Implement Security Awareness Training

Various professionally crafted training programs are available from vendors, oftentimes through Human Resources solution service providers. Alternatively, training programs can start with the basics being covered by knowledgeable personnel, if they are given enough resources and leadership support to build a customized program. Either way, it helps a great deal if the training program is one component of an overarching, well-designed organization security program—which can include technical security solutions, security policies, monitoring by experts, and other necessary components.

webcheck aware logo

Webcheck Aware, powered by HacWare, is one such program. Customized phishing(or scam) e-mails can be adjusted to fit any organization's needs. The frequency of emails and trainings are also customizable, allowing for an easy “set it and forget it” program. Trainings are short and engaging. A sleek dashboard gives a look into employee's risky behaviors and the organizations metrics. If your organization is looking to implement security awareness training: click here to learn more!

The risky behaviors listed on the dashboard shows behaviors that cyber-criminals could exploit during a phishing attack
Webcheck Aware Dashboard

A virtual Chief Information Security Officer (vCISO), sometimes referred to as a Fractional Information Security Officer (FISO), can help any organization design and manage a successful security program—with security awareness training operating under the vCISO’s guidance. Webcheck Security maintains a cadre of highly experienced and professional vCISOs that can help you meet your security objectives. Contact Webcheck today to discuss your options and to increase your security program’s success.

17 views0 comments