Importance of Security Awareness TrainingJohn LeMay
When it comes to cybersecurity, one of the most important investments a business can make is in security awareness training for themselves and their employees. After all, it’s much easier to protect your business once you understand who and what you are protecting it from.
Cybersecurity threats are always around. They can come from sources both internal or external to your business. Recent studies have shown that approximately 91% of all cybersecurity breaches originate in email and that 43% of cybersecurity attacks target small businesses (Citrin-Cooperman COVID response team, August 2020). Other internal systems, public websites, or processes around the handling of data could also expose your business to increased risk. By training your staff to understand the variety of ways your business systems can be compromised, and by providing them with the tools to better recognize potential threats and how to respond to those threats, you reduce both the likelihood and potential impact of a cybersecurity event.
During the pandemic of 2020, businesses faced unprecedented challenges. Many employees were forced to work remotely, many of whom had never done so before. Many security protections provided in the workplace by IT staff did not exist beyond the walls of the business and many remote workers lacked adequate tools and knowledge to protect business data in this new work scenario. The “bad actors”, those people working to penetrate business systems and steal data, were aware of this and took advantage of the situation. As early as May, only a couple of months into the pandemic, businesses were already reporting a rise in attempted cybersecurity breaches and other security related events. In June 2020, BizJournals.com reported that companies had already seen increases in instances of hacking, video and telephone conference hijacking, and confirmed data breaches, amongst other security events. It is expected that cyber attack rates will continue to increase as we continue our shift away from working in larger offices and toward a more remote workforce.
Businesses adopting a new security awareness training effort should begin by looking across their business landscape at the processes and technologies already in place to help guide in selecting the correct training method and platform. Once the requirements of a program are understood, the various programs available can be evaluated to find one that is right for your business and your employees. Most programs can be customized to some extent to fit the needs of the organization. The training should be relevant to your business in terms of content. For example, training for a retail business would be different in many ways from training provided for a financial services organization. The training should also be relevant to the job roles of the people who are consuming the training. Retention of concepts delivered during the training is improved if a staff member can directly relate the concept to their daily work.
Security awareness training should be on ongoing effort for your organization. Training should be delivered regularly and consistently. Many organizations provide fresh cybersecurity training content on a monthly or quarterly basis. Participation in training by staff should ideally be mandatory. Ensure your chosen training platform provides a method to measure participation and successful completion of each training module provided. Like much of the training available today, courses can be consumed on demand individually as it fits into your employee’s daily schedule. This can help your staff fit the training into their daily schedule.
Classroom security awareness training is also available, either in person or virtually. While classroom training provides a more interactive format, other delivery methods may be more effective at least for introductory level cybersecurity training. However, depending on the audience there may be some benefit to classroom training in delivering these initial concepts as well. This should be considered during your evaluation of various training offerings.
Cybersecurity risks will continue to evolve as will the frequency of cyber attacks targeting businesses of all sizes. The best protection for a business is an educated and informed workforce. Adoption of security awareness training is not optional for a mature, responsible business. It is as much of a requirement as the IT systems used to operate the business. While businesses still need to ensure they have the correct cybersecurity protections in place from a policy and tools perspective, employee training helps increase the effectiveness of the overall security strategy of an organization.