Why security awareness alone is not enough

Information security awareness is crucial for organisations to protect their sensitive information and prevent security incidents and data breaches. It’s not a surprise that it is a key control included in every security standard and best practice framework.

Security awareness targets the human factor, the often-cited weak link in the chain of information security controls. Its purpose is to turn this weakness into a strength, a proactive contributing factor for the protection of an organisation’s information assets, to compliment any technical controls in place.

Simply developing security awareness through bare education might not be enough to gain this additional protection if it doesn’t consequently enable and drive effective actions and compliant user behaviour. The primary issue in this context is that users might gain knowledge of cyber threats relevant for their context, through basic security awareness training, but still lack confidence and skills to properly detect and respond to real cyber events once these materialize in their immediate realm. In these cases, security awareness, although seemingly established, is almost useless to fulfil an effective purpose.

How to improve your organisations security awareness?

The main deficiency nowadays is still that most security awareness programs hardly go beyond the theoretical education, and do not introduce a consistent and structured component of regular testing and practicing. Routine and confidence to deal with real cyber challenges and events however only comes through regular exercising.

In fact, security awareness must take a comprehensive and consistent, end-to-end approach to become a reliable protective control. Hence, these are the key points to consider when implementing an effective security awareness program:

User Education

This is the absolute basic minimum. It is essential to educate users about potential threats, such as phishing, malware, social engineering, software vulnerabilities and common attack patterns. And even more crucial to provide them with skills and guidance to recognize and respond to these threats.

Practical Training

Confidence and routine is facilitated through practical training. Hence, after a thorough theoretical security awareness induction, regular hands-on security exercises become predominantly important. These may cover a wide area of subjects, and can include social engineering, managed detection and response, malware or technical attack simulations, as well as red or blue team, backup recovery, business continuity or disaster recovery exercises, to just name a few.

Continuous Training

Just a once a year read this document or click through this computer-based training will hardly provide any education. Security awareness should be an ongoing process and not a one-time event. Regular cybersecurity awareness training, exercises and updates help to keep users informed of the latest threats, technologies and effective detection and response procedures.

Cybersecurity Awareness Training using real-world threat scenarios

Theoretical and practical security awareness training should always relate to authentic scenarios in order to highlight practical relevance and to demonstrate how to recognize and respond to real-world security threats. An effective approach can be to explain, walkthrough or replay recent breaches that have become known to the public, or setup a live demo, or role-play, that for instance directly shows how end user laptops or smartphones can be hacked. This makes cyber threats more tangible and easier to understand for the ordinary staff member.

Security awareness training modules

Security awareness training modules cover a range of topics that include, but are not limited to:

• Phishing awareness to help employees recognise and deal with potential phishing emails.
• Password security that provides instructions on creating strong passwords and avoiding personal passwords.
• Privacy issues that instruct employees on how to protect sensitive data of customers, partners, other employees and the company.
• Compliance training that covers requirements such as HIPAA, PCI and GDPR.
• Insider threat education that helps employees recognise potential threats that may come from within the organisation.
• CEO/wire fraud training that shows employees how attackers may impersonate a C-level executive to defraud the company of large sums of money.
• Data in motion training to educate employees on how to protect data that is in transit, particularly in the Australian context.
• Office hygiene training that educates employees on the best practices to secure paper, desks, screens, and buildings.

How your organisation can become a leader in security awareness?

Security awareness training is an essential component of any organisation's security strategy. With all levels of leadership participating, organisations can ensure that their staff are up-to-date with the latest threats and best practices.

Lead by example

Senior leaders should actively participate in the security awareness program, which means in general training as well as practical exercises, and demonstrate that security is a top priority for the organization.

Promote good behaviours

Do good things and talk about it. Organisations should recognise and further more reward employees who demonstrate strong security behaviours (e.g. rewarding appropriate actions during exercises and real incidents). On the other hand, it should also consequently take steps to correct and sanction those who engage in risky behaviour.

Consider role-based security awareness training

A one size fits all security awareness training, which is a common approach, is usually too generic and not fully suitable for specific roles. Hence, education provided should always additionally consider relevant content for users’ roles and responsibilities and tailored to their particular needs. Specific awareness training may focus on aspects for users with privileged access to systems, obligations regarding highly regulated or sensitive information (like PII or credit card data), specifics for remote workers or compliance requirements with applicable laws, regulations and external standards.

Measure success

Organisations should establish a way to measure the effectiveness of their security awareness program, which should go beyond tracking the completion rate of the annual awareness training. Instead, it should leverage a combination of means such as regular phishing simulations, security audits, user surveys and recurring exercises, of varying subject and focus, with structured post-exercise reviews.

Respond quickly to cybersecurity incidents with a strong security awareness program

In conclusion, a strong security awareness program offers unquestionably great opportunities and is a critical factor to successfully prevent and respond to security incidents and data breaches. Organisations miss-out on these benefits if they only provide occasional, shallow theoretical training, and treat the whole matter only as a tick box activity, to achieve compliance with an aspired standard. Security awareness must target at driving effective actions and compliant user behaviour. Hence, organisations should focus on awareness activities that go beyond recurring, theoretical user education, by adding regular real-world scenario tests and exercises to their training program schedule. Our cybersecurity solutions provides staff members the opportunity to practice their security skills, detection and response capabilities, and to develop confidence to deal effectively with any relevant real cyber event as they occur.