What is Security Awareness Training?

Phishing attacks have become one of the most popular cyberattacks in 2021. It’s estimated that 70% of cyberattacks use phishing and 66% of the malware that’s downloaded in business is delivered through an email attachment, making it by far the most popular means of malware delivery by a hacker. You can have all the technical security solutions but if your users decide to download an email attachment that is malware, there’s not much the technical solutions can do to stop that without interfering in everyday business. The answer to this is proper security awareness training, this is the best defence that a business has for phishing. Security awareness training is a strategy used by IT and security professionals to prevent and mitigate user risk. These programs are designed to help users and employees understand the role they play in helping to combat information security breaches.

What should security awareness training do?

The first aspect of security awareness is to train users on the cybersecurity threat landscape. User’s need to understand how phishing attacks and other social engineering attacks work and how to identify them. It should be more than just simple readings or an online course that people do. During onboarding many companies require employees to complete online courses but often employees simply click through this sort of training as quickly as possible and they don’t learn much. Security awareness training should be more interactive and in person so that people can ask questions and be put through exercises to ensure that they retain the information.

The second aspect of security awareness training is simulated social engineering attacks. Unlike the exercises described above where users will know that it is a test, simulations should be performed against employees unknowingly throughout the year. This way your organization can understand how knowledgeable your employees are and tailor your awareness training based on how the employees respond to the simulations. Testing your team is the only way to know for sure that your employees are well prepared for the phishing attacks that they will see throughout the year. At the end of the simulation you want to have some metrics like this, which comes from a simulation performed by university of Manitoba for fraud prevention month in 2018:

Source @ university of manitoba

In addition to simply gathering these metrics, this gives you a means to identify how your company compares to other companies within your industry. Verizon did a data breach investigations report and was able to get the failure rate of phishing simulations by industry, you can use this to compare yourself to other companies and demonstrate how well your company is performing against your peers. It can also be a great way to show board members or upper management that their investment in cybersecurity is paying off by showing how you are outperforming similar companies. It’s important that you can quantify your results for stakeholders.

Source @ phishingbox

How to get more free content

If you like this article and would like to read more of our content for cybersecurity insights, tips and tricks feel free to follow us on our social media. If you’re a struggling business owner who needs help in assessing their business’s cybersecurity posture feel free to take advantage of our free introductory assessment and we’ll help you figure out a game plan for keeping your company safe.