Security training is often touted as one of the best ways to combat phishing attacks, malware and other security hazards. The thinking is that your employees won’t fall victim to these types of threats if only they understood how to detect them. But, the type of security training offered to your employees makes a huge difference in whether your efforts prove effective.
A recent report from email security provider Egress points out the pitfalls of generic training designed to simply meet certain check marks and provides a few tips on how to improve your security awareness and training (SA&T). To compile its report Why box-ticking SA&T will never change security behaviors, Egress used insights gleaned from past surveys of IT security leaders.
How often are companies training employees on security best practices?
In one survey, 98% of the IT leaders said they carry out at least some form of security training. More than half reported they offer it a few times a year, while more than a third provide it each month. Almost all of the people surveyed said they believe security training can result in long-term, positive changes from their employees.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
However, 84% of the security leaders polled acknowledged they’d been victims of successful phishing attacks over the past 12 months. Such breaches continue in large part because of human behavior. Employees fall for phishing emails, cause data loss due to errors, and break certain rules such as emailing work information to personal accounts. The takeaway is that offering generic security training hasn’t been effective at reducing security incidents.
Making security training more effective
To help you improve the value and impact of your security training, Egress offers three recommendations.
Measure outcome instead of activity
You need to measure the true outcomes of your security training and not just look at employee participation as a statistic. Consider the employee behaviors you’d like to see change as a result of the training, and then, determine if they actually do change
Such behaviors include correctly classifying sensitive emails to be encrypted, following security warnings, not falling for phishing emails and avoiding general human errors. These can all be measured to determine if your training is truly having a positive effect.
Customize training to individuals
Rather than offer the same generic training to all employees, tailor your training to individuals based on history, needs, job role and other factors. You might start out by using security questionnaires to gauge the level of risk among different employees. Then, consider an employee’s job role and level of seniority to determine how likely they are to be targeted by cyberattacks.
Next, assess the risk of an employee accidentally or intentionally causing a security incident over privileged data or sensitive systems. Further, look at the past behavior of an employee to see if and how often they fall for phishing emails, browse to malicious websites, fail to exercise proper password hygiene and violate your security guidelines. You can then offer the right security training and coaching based on these factors.
Combine your security training with real-time teachable moments
Regular and formal security training certainly holds a vital place. But, consider backing that up with real-time interventions or nudges at the moment when an employee is about to perform a risky action, such as responding to a phishing email. Using intelligent security tools, you can display a banner on a suspicious or malicious email alerting an employee to the risks.
On an inbound email, a banner could warn about the potential for account takeover or impersonation. On an outbound email, the banner might warn the user if they’re about to send the message to the wrong address or attach an incorrect file. These types of interventions can not only stop security breaches before they occur but help teach people why a certain action has been flagged.
If your IT department is planning to update or establish a new strategy for security awareness and training, the experts at TechRepublic Premium have a policy to get you started.