It wasn’t that long ago that end-user training was only relegated to new line of business applications or major software additions for most organizations. In today’s business environment, you really need to think of end-user training as a constant ongoing process especially when it comes to security awareness. The #1 security risk to any organization today is their own internal employees and if you don’t take control of it, it will most definitely come back to bite you.
Some Statics To Get Your Attention
- 50% of Internet users experience at least 1 phishing email a day!
- 45% of those users were susceptible to following those phishing emails
- 92% of malware is distributed through email
- Only 53% of organizations have ANY security training in place
First and foremost, lets take a look at what end-user security awareness training really is… I mean do you really need training for your end-users to know that security is important? When we ask most prospective clients if they have any process around end-user security awareness training, most of the time we get a sheepish response of … “Well we let everyone know that they should have a strong password and they shouldn’t share that with anyone”. In some of the more prudent environments we may even hear…”Yeah, we have a formal security policy that they have to read and agree to”. Unfortunately neither of these answers are sufficient in order to protect your organization against the threats being lodged against your operations right now and every day going forward!
End-user security awareness training is a mindset and ultimately a culture change that has to occur across the entire environment and across all employees to truly be effective. It simply can’t be something that your team sits through once a year to really get any benefit from.
Keys to Effective End-User Security Awareness Training
Relevant Training – Probably most importantly of all, the end-user security awareness training needs to be relevant. The threat landscape changes daily, so if the content of the training is not updated at least monthly, the value of what is going to be presented is very limited.
Engaging Training – All too many times organizations make their end-users either read a policy in their handbook that hasn’t been updated in 5 years, or they have them watch a video training that the end-users simply start playing in the background and continue working or go to lunch. In order for the training to be effective, it needs to be engaging and interactive. Security is a dry subject so it is not always as easy as it sounds to accomplish this. Part of the training should require the end-users to answer questions to test their knowledge and understanding of each section throughout the entire training. This ensures that the information being presented is being absorbed and understood. Additionally the training should include real-world examples. All too often security training just focuses on the technical aspects that are not relatable to the average user.
Concise Training – Another mistake to avoid is having the training be too lengthy. Again, because security can be a dry topic – avoid any loss of focus by utilizing short training sessions of 20-30 minutes max. Anything longer will lose the audience’s attention and undermine the success.
Scheduled Training – As mentioned previously, training should be conducted monthly to get the most benefit. To expand upon that a bit, it should also be something that is automatically scheduled. All organizations are built to produce a product or service and security training is probably not one of those deliverables for 99 percent of organizations. So what inevitably happens is that most organizations start with good intentions but work gets in the way and subsequent training gets put off or never implemented.
Real World Testing – Training without testing is only half the battle. To truly be effective with end-user security awareness training, you need to also test in a real world scenario to see how your end-users fare when it comes to the malicious intents. The most common testing method is to send test emails that look like legitimate emails from common vendors, partners, and organizations. If you are a manufacturing or construction focused organization, that might be an email that looks to be from OSHA asking the recipient to click on a link to get the latest regulatory updates. Or if you are in the retail market, it may be an email that appears to be your last PCI compliance report and has a file attached to it. The key here is that it needs to look like a normal email that your team might actually receive. Once you have a relevant email to utilize, then you want to be able to report on how many of your end-users actually clicked on, or did what the email asked them to do. Now while these links or files are not actually malicious since they are sent from you, it does give you an indication of how susceptible your staff members really are. From those results you can assign additional training to those users who click on, downloaded, or visited the sites to help them understand how to recognize these in the future and avoid a real threat.
Tracking Results – Once you have the ability to test and see which employees do well and which ones do not, the next step is to make sure you have the ability to track over time how each of these groups improve or decline in their ability to thwart the risks. If you have employees that do not improve over time, the training may not be suitable, or you may need a better environment for them to train in, or schedule it during another time in which they can focus more. Without the ability to track, you may or may not be getting the results you need out of the security initiative.
Policy Enforcement – In tandem with end-user security awareness training you also must have training around what your organizational policies are and how they are to be followed. In a recent survey only 27% of organizations actually had a written information security policy in place. It is imperative that you train your staff and employees on what is expected of them specific to your organizations policies. This also ensures that in the event of any legal actions that you have proper documentation of the policy outlined and agreed upon. Once the policy is developed and in place, then you need to actively track who has read and accepted the terms of this. This is one more opportunity to utilize a security platform to track and maintain these records. Many end-user security awareness training platforms have the ability to keep these policies online and track which employees have and have not accepted them.
In conclusion
It is no longer enough to simply have a page in your handbook that has a static policy in place around security and information technology. You must take an active approach to ensure your team is fully aware of the constantly changing threats and vulnerabilities and how to recognize, avoid, and report those threats. The data backs this up with astonishing results! Organizations that implemented ongoing end-user security awareness training experience a 92% reduction in users that actually fell for phishing attacks.
If you need assistance to get started with this – reach out to your trusted I.T. partner or let DaZZee know if you would like our help! This is a minimal investment to generate a sizable return in reduction of overall security risk and liability.
If you are a business with at least 15 users in the Southwest Missouri or Northwest Arkansas Market – You can get FREE access to DaZZee’s online End-User Security Awareness Training.
Just Sign Up Below To Get Free Access