Best practices for building an effective security awareness program
People are the most critical element of an organization’s overall security and risk posture.
Verizon’s 2020 Data Breach Investigations Report, which highlights insights from nearly 4,000 data breaches, found that 67% were caused by attacks targeting people — including credential theft and phishing — and 22% involved human error.
Cybercriminals and nation-state hackers are brazenly exploiting human vulnerabilities, and no one is immune to security slip-ups. Recent high-profile incidents involving Twitter, the Israeli defense industry, and cybersecurity training firm SANS Institute all resulted from social engineering techniques that successfully deceived employees.
Security awareness has never been more important. Since January, there has been a 30,000% increase in detected phishing, malicious websites, and malware designed to capitalize on the pandemic.
While organizations have been engaging in awareness activities for years, escalating threats and data privacy concerns require us to advance our efforts. According to Gartner, “by 2022, 60% of large/enterprise organizations will have comprehensive security awareness training programs, with at least one dedicated full-time equivalent (FTE) for fulfillment.”
Traditional security awareness training often centers on compliance with regulations such as HIPAA, PCI-DSS, GLBA, and more recently, the GDPR and CCPA. But implementing a security awareness program is much more than a check-the-box compliance exercise. It’s a business function designed to reduce business losses.
The global average cost resulting from insider threats — including negligent employees or contractors, malicious insiders, and credential thieves posing as insiders — is $11.45 million.
If you don’t provide users with specific information about how they should respond under certain circumstances and motivate them to practice behaviors that promote your security goals, the responsibility for any damage they cause lies with you.
Here are nine best practices for building an effective security awareness program.
1. Understand your starting point
Before you can evolve your awareness training, you must first determine the strength of your existing security awareness program or security culture.
Resources like the SANS Security Awareness Maturity Model — which was developed through the coordinated efforts of over 200 awareness officers — help you identify how mature (or immature) your program is and where you can take it.
By taking baseline measurements related to current phishing susceptibility and cybersecurity knowledge levels, you can track your organization’s progress. Record the number of employees falling prey to simulated phishing attacks, how many are reporting suspicious emails, the overall volume of security-related calls received by help desk analysts, and the rate of malware infections.
2. Take an all-in attitude
Make it a company-wide program that includes buy-in from the top down, and secure enough funding for initial requirements and ongoing efforts.
Incorporate security into your organization’s overall vision and mission. Let employees know what’s in it for them; they’ll be more invested if they understand awareness efforts extend beyond corporate security to protect against threats to their identity and livelihood.
3. Consider your corporate culture
Work with senior management and employees to develop a strategy that blends your security awareness program with your existing corporate culture. Key considerations include your industry, workforce demographics, and what’s relevant to different locations, departments, and roles.
4. Set goals and be flexible
Work with stakeholders to identify the top concerns and risk factors in specific areas of the organization, and develop a calendar of activities to address them over time. Set reasonable, incremental goals and be prepared to make changes if initial approaches fail to produce positive results.
5. Keep messaging clear, specific, and persistent
Communicate the value and purpose of your awareness program early and often. Users should understand exactly what’s happening, why it’s happening, and what their role is.
Focus on content that catches their attention, is relatable, and can make an impact in their personal lives. Be repetitive in the reinforcement of key messages, but not in how they are delivered. Diversify media and determine what drives the most change.
Annual efforts will keep you in a constant state of rebuilding. Maintain ongoing awareness activities aimed at integrating training into day-to-day workflows. This will keep cybersecurity best practices top of mind, and better prepare employees to defend themselves and your business.
6. Operate across people, process, and technology
Security awareness training works hand in hand with technical controls. In addition to solutions that help mitigate attacks and human error — such as data classification, email security, endpoint detection and response (EDR), data loss prevention (DLP), privileged access management (PAM), and user and entity behavior analytics (UEBA) — security awareness training platforms can help educate employees and assess their security readiness with both ready-to-use and customized interactive software modules.
They offer delivery via a variety of digital endpoints and provide content of different lengths (one- to two-minute microlearning lessons, interactive lessons, and episode-based, Netflix-like shows) in styles that can be tailored to the needs of specific roles or audiences. Delivering the same information in multiple forms increases your employees’ chances of retaining it.
7. Consider gamification
Incorporating gamification into your awareness program encourages active engagement and friendly competition. However, as security expert Ira Winkler points out, gamification isn’t putting information in the form of a game in the hopes of changing behavior. True gamification is a reward system that positively reinforces learning.
Implementing effective gamification can motivate your employees not just to participate in training, but to take it seriously so that they have a chance of winning. What you reward them with depends on your corporate culture; it could be individual or team recognition, points, physical prizes, or even cash.
8. Prioritize collaboration over punishment
Human error is inevitable, regardless of how strong your program is. So take a “more carrot, less stick” approach that encourages employees to share information and makes them feel like collaborators.
Security incidents should be treated as learning opportunities rather than cause for punishment. If users worry they’ll be blamed, reprimanded, or even fired for security-related mistakes, they’ll be far less likely to report them.
9. Measure your efforts
Put metrics in place to assess the impact of your program and demonstrate return on investment.
Don’t focus on likability when evaluating progress. Bringing fun into security awareness is helpful, but it doesn’t matter if survey results show that employees are enthusiastic about your program. It matters if their behavior is changing.
Behavioral change should be your goal; fortunately, it’s also measurable.
Compliance metrics that focus on employee participation and other requirements should be accompanied by behavior-related metrics that focus on whether you’re preventing more attacks, detecting more incidents, and ultimately reducing more risk over time.
Properly configured technical controls support tracking and reporting; UEBA provides insight into high-risk (and malicious) users, and endpoint security controls measure rates of malware infections and successful phishing attacks from the wild. Additionally, security awareness training tools test knowledge levels and segment user data to collect program metrics. They offer analytics to help identify areas that need improvement and employees who may need additional training.
Humans are the target and the solution
The best security tools in the world can’t compensate for a lack of awareness. In fact, the stronger corporate security becomes, the more threat groups will target employees personally.
By incorporating security into your overall vision and mission, focusing on behavioral change, increasing engagement, and operating across people, process, and technology, you can foster a culture of cybersecurity and transform awareness training from an annual event into a lifecycle that generates security returns.
Contact SHI today to start developing or maturing your organization’s security awareness training program.
David O’Leary contributed to this post.