Security Awareness Training is a very important and effective way to protect companies and their employees from social engineering and phishing attacks.
What is Security Awareness Training?
Hook Security defines it as an education program that teaches employees about security and phishing while creating best practices and good habits.
Psychological Security Awareness Training takes that approach a step further by focusing on the way we train the brain. PsySec uses neuroscience, humor, repetition, and a non-punitive approach to train the part of the brain that houses threat recognition and response.
So - Why is security awareness training important?
Security Awareness Training Reduces the Risk of Breaches and Cyber Attacks.
Over 90% of cyber attacks include some sort of phishing or social engineering element. It shouldn't be a shock that reducing the risk of phishing attacks reduces the risk of a breach.
Employees receive phishing emails every day. And while most security tools do a great job of filtering out most phishing emails, hackers are changing their tactics every day, and some phishing emails ultimately land in an employee’s inbox.
And the phishing attack is just the beginning.
Phishing is the attack vector the hacker uses to get access to a company’s system. Once an attacker has access, that’s where they do their damage. Some examples of cyber attacks include malware, ransomware, business email compromise (BEC), and more.
Security Awareness Training aims to resolve this by directly focusing on humans and creating habits.
It’s one thing to simply warn employees of the dangers of phishing, but if you can properly create habits and reach the primitive part of the brain that controls threat recognition and response, that’s where you really start to see a reduction in phishing email clicks.
Security Awareness Training Creates a Positive Security Culture
Security awareness training, when properly executed, contributes to your company’s security culture, and ultimately your overall company culture.
First, you should understand that culture is not something you can command, direct, or mandate. Culture is not a policy. Policy is what employees are told to do. Culture is how they actually behave.
How do you influence culture?
At Hook Security we say there are four main things you can do contribute to a healthy security culture:
Train Everyone - Culture comes from the top down. If top-level employees aren’t being trained, or see themselves as “above training”, it completely dilutes its importance and other employees will not take security seriously.
Expect Mistakes - They are inevitable. How you react to them is everything. When you roll out security awareness training to employees, you will see people click. But that’s okay. The goal is to reduce risk. It’s virtually impossible to eliminate the risk of phishing attacks. Just be glad the phishing email they clicked on was a phishing test, and not the real thing.
Set Goals - Encourage your employees and track progress. If you’re creating a healthy, positive culture around cybersecurity, employees will want to know how they’re doing. Encourage them by letting them know when they pass or fail phishing tests.
Don’t Punish Mistakes - This is the number one pitfall of many companies trying to have a security awareness program. If you truly want to have a positive security culture, treat mistakes as an opportunity for growth. After all, would you report a phishing email if you thought you could be fired?
By offering security awareness training to your employees and following these guidelines, you will attain a positive security-aware culture that is FAR more effective than using fear, uncertainty, and doubt.
Security Awareness Training Helps with Compliance
Compliance is a nice by-product of security awareness training, but to do it successfully, you shouldn’t make compliance the reason for offering training. This approach can lead to poor performance and results.
However, more and more industries, regulators, and compliance programs are starting to include having a security awareness program.
Some compliance regulations that already require security awareness training include:
- PCI DSS
- ISO/IEC 27001 and 27002
- Many State privacy laws
If these areas of compliance affect your company or companies you offer IT services to, you should offer security awareness training for compliance.
Security Awareness Training Helps Avoid Downtime
Similar to point number one above, security awareness training significantly reduces your risk of company downtime, for two reasons:
First, the biggest cause of downtime is when your company is hit with a cyber attack. If you are hit with something like ransomware, your files will be completely encrypted, and many business functions will be shut down completely.
There are other, less obvious forms of downtime related to cyber attacks such as loss of business, PR issues, employee morale, time to fix, and more. Simply put, phishing attacks are bad for business.
Second, when you roll out something like our Psychological Security Awareness Training, the training is short, doesn’t take time out of an employee’s day, and boosts morale rather than hurt it.
How does this work?
At Hook Security, we research and craft simulated phishing attempts based on the latest tactics that criminals are currently using. We send these simulated phishing emails to employees every month.
Then, when employees fall prey to our trap, we give them a short, educational but entertaining video to train them on their mistakes.
The whole experience from clicking the email to receiving training is less than 5 minutes.
The traditional form of training involved hours-long training in a conference room, or long, drawn-out computer-based training.
This approach kills productivity. And we like productivity.
By training your employees at the moment they clicked (we call this the point-of-infraction), they quickly learn from their mistakes, have a laugh, and move on with their day.
Your Employees Are Your Greatest Asset.
Many security providers and companies say that employees are your biggest weakness when it comes to cybersecurity, and to be honest we’ve said the same in the past.
And while there may be some truth in the statement, it does very little to accomplish our goals in security awareness.
Your tools can not be security-aware. Your computers can not be security-aware (well….not yet….oh god I’m so scared for the future).
We have found that the number one way to create security rockstars out of your employees is to treat them like your greatest asset, not your biggest weakness.
Your employees are the number one keeping your company going. And yes, they are also the people clicking on phishing emails, but you should see them as an opportunity versus a threat. This will have a great impact on the effectiveness of security awareness training.
Why is it Important to Offer Security Awareness Training?
If you are an MSP, MSSP, VAR, or any kind of IT services provider, you may or not already offer security awareness training to your customers.
But should you?
Well, we may be biased but we think so.
But so do other MSPs.
In Datto’s 2020 State of the MSP Report, they showed that 60% of MSPs consider security awareness training a critical service to provide for their customers, while slightly less than 60% reported they actually offer it currently.
The cold, hard truth is that if you aren’t offering security awareness training and other emerging services as part of your managed offerings, you could be in danger of losing customers.
Because as company adoption of awareness training increases, companies will look for and ultimately go with providers that offer it.
The benefit of a done-for-you service like our PsySec training is that you don’t have to add any additional resources, time, or employees on your end to provide it to customers. We take care of the testing, training, and reporting for you.