What you keep getting wrong about security awareness training
Consistency trumps intensity.
But when it comes to security awareness training, old-school approaches focus on intensity.
Or to put it another way, if there’s a regulatory or compliance deadline on the horizon, security teams tend to prioritize training for a while. Job done, box ticked.
Outside of these times, you won’t see much of a push for training. And you won’t see people getting anywhere near enough support.
Let’s imagine a couple, I’ll call them Emily and Tom. Emily brushes her teeth for 30 minutes straight every Sunday. She uses every fancy tool and complex technique recommended by her top-notch dentist.
Tom, on the other hand, brushes his teeth twice a day for two minutes, using a simple toothbrush and toothpaste, followed by a little flossing.
Who do you think has better oral hygiene?
Yep. We all know it’s Tom.
Sure, Emily’s intense brushing sessions may give her smile a temporary boost. But Tom’s secret weapon is a daily routine. Emphasis on “daily”.
And, just like brushing our teeth, consistent training is more effective when managing cyber risks. Not least because a consistent approach is better at promoting behavior change. And measuring behavior is everything.
But why exactly is consistency so important in security awareness training? And how can you shift your organization’s focus from intensity to consistency to make a real difference in your risk profile? Let’s break it down.
People are unpredictable. So isn’t consistent training a waste of time?
Attempts are getting more and more sophisticated, and inevitably people fall for phishing scams, accidentally download malware, or use weak passwords.
But the thing about people is they can be brilliant at recognizing and responding to cyber threats. Especially when they have a good security team behind them.
The kind of security team that delivers the right interventions.
Consistent training is one such intervention. It teaches people how to spot and react to cyber threats. And it provides practical guidance and support to help people apply their knowledge in practice. In fact, let’s take a look at that next . . .
Theoretical knowledge vs applied knowledge
One of the challenges of traditional security awareness training is that it’s prone to tunnel vision. It runs the risk of zooming in on theoretical knowledge and ignoring applied knowledge.
So, people may be taught about the importance of strong passwords, for example, but they may not know how to create a strong password in practice.
To overcome this challenge, training programs should focus on providing targeted interventions. That’s how you can help people to apply their knowledge in practice.
So, instead of dragging people into deep dives on specific topics, your programs should help people bob along merrily by providing practical guidance and support.
Phishing simulations and social engineering
You don’t need me to tell you how phishing attacks and social engineering are two of the most common cybersecurity threats out there.
But the trick here is in making sure everyone in your organization understands that too—and what to do about it.
It stands to reason that your security awareness training program should include phishing simulations and social engineering awareness training.
People have a huge part to play in recognizing and responding to these all-too-common threats. They need to proudly hold this role in their minds at all times.
It’s not enough to remind people once a year that phishing is a threat. They need regular training to help make sure they don’t fall for that fraudulent link. They need your help so they can take a step back and think when an email makes them feel like they just have to click through or reply.
Phishing attacks typically involve the use of fraudulent emails that trick people into clicking on malicious links or downloading malware, while social engineering attacks use psychological manipulation to trick people into revealing sensitive information.
Training frequency and program length
But how often should security awareness training be conducted? And how long should training programs be?
Well, it depends.
I know, I know—that answer sounds like such a cop-out, doesn’t it?
But it really does depend on a variety of factors. Take, for instance, the size and complexity of your organization, the level of risk associated with your data and systems, and the compliance requirements you have to meet.
However, one thing’s for certain: Programs should be conducted on a regular basis throughout the year. After all, how else can you ensure people are consistently engaged? There is no shortcut for instilling cybersecurity best practices. A training program needs to be as much a part of the organization as the furniture.
And one more thing—shorter modules are generally more effective than longer ones. This is because they’re less likely to bring on information overload. Smaller chunks of information are easier to swallow, so you’re more likely to keep people engaged that way.
Tips for implementing consistent security awareness training
So, you want to be more consistent. Good. That means you’re going to need a comprehensive approach that involves a range of strategies and tactics.
Here are tips for how to do just that:
1. Prioritize to protect: Everyone in your team and everyone in senior leader roles need to recognize the importance of training. It needs to be a key component of your cybersecurity strategy.
2. Hands-on helper: Training programs should focus on providing practical tips to help people apply their knowledge. Theory on its own is useless.
3. Baiters gonna bait: Use phishing simulations, and make people aware of how criminals use social engineering to control victims. That way, people will appreciate just how much psychological manipulation is used in attacks—and how to spot it.
4. Training that never sleeps: Sprinkle your training throughout the year rather than just during specific periods. Cyber attacks happen year round, so your security efforts need to follow suit.
5. Short, sweet, and secure: Snappy, to-the-point programs are hands-down more effective than longer programs. They’re way less likely to overwhelm people with information. Plus, little chunks of training go down more easily.
6. One step ahead: Cybercriminals don’t rest on their laurels—they’re always looking for ways to make their attacks stronger and to get around new defenses. So, if you’re not regularly evaluating and improving your training program, you’re not giving people a fair chance.
Time to take charge and get with the program
Let’s bring it all together, then.
People weren’t born with pro-security behaviors built in. If they were, we’d all be out of a job.
Behavior change is always going to be part of the cybersecurity challenge.
And consistent security awareness training is essential in promoting that all-important behavior change and improving your organization’s overall security posture.
The organizations best placed to defend against cyber threats are those that:
Prioritize consistent SA&T
Implement targeted interventions
Support, phishing simulations, and social engineering awareness
That is how you harness consistency to empower people. And that’s how people become a more resilient and formidable force to be reckoned with.
Maybe you’re well on your way to a world-class security awareness training program, or maybe you’re just getting started.