Intro
The definition of security awareness is likely broader and deeper than your organization may realize. Security awareness aims to address one of the trickiest weak points in your organization: its people. Security awareness is intended to change behavior and reinforce good security practices among your employees and other third parties. In short, it should be a cultural change.
Easy to do? Of course not. But if responsibility for security awareness training has fallen to you, this guide can help. It will walk you through the foundational aspects of security awareness so you can avoid common mistakes. It also provides detailed information on how security awareness affects compliance issues to assure that you design a comprehensive program.
What Is Security Awareness?
Information security begins and ends with your employees. As many as 95 percent of all cybersecurity breaches are caused by human error. That’s because no matter what technological controls you have in place, people will always be targets for threats such as phishing attacks or online scams. Unfortunately, employees are highly effective entry points for cybercriminals looking to access data or infect your systems with malware.
Security awareness training is crucial to combating those risks. The key elements of awareness are (1) knowledge, (2) understanding, and (3) attitudes about your company’s physical and informational assets.
When your personnel are aligned on those three elements, you can feel confident that your workforce will identify risks and take the appropriate action to protect those assets. Awareness exists when everyone:
- Recognizes security threats
- Understands the associated risks
- Has an appropriately urgent attitude
- Knows how to respond
Risks of Poor Security Awareness
Phishing attacks, malware, ransomware, viruses, scams, and other security threats all hit unsuspecting organizations every day. Bad actors are constantly evolving to achieve their goals. A workforce with low levels of security awareness is their ideal target; that’s why it’s paramount that you prepare ahead of time.
As of 2020, the average cost of a data breach is $3.86 million, according to a report by IBM Security. It also takes an average of seven months for an organization even to recognize the breach. Add another two months to contain it. For ransomware attacks alone, victim companies pay an average of more than $111,000.
Remote work increases the risk of a threat. It has complicated compliance for many companies that have not historically supported remote or hybrid environments. Unless you want to become the next security breach headline, you must educate your employees. Failure to make security as much of a priority as other parts of your job leaves you—and your customers—at enormous risk.
Who Needs Security Awareness?
Personnel at every level and in every part of your organization should undergo security awareness training. That training, however, will need to address various levels of competence that will exist in any organization.
Your personnel will fall into the following categories:
Unknowing
These are people in the organization who lack security awareness and don’t even recognize it as something they should understand. It isn’t an issue they consider as they operate day-to-day. They rarely take any conscious steps to assure the safety of their activities or recognize or respond to threats.
As a result, the unknowing need to be made aware of security-related issues and recognize their lack of knowledge. Some might require additional effort to convince them that security is important. They’ll have to be motivated to learn if you want them to get past this stage.
Unsure
These individuals know some need for security awareness exists; but they don’t know what security looks like, or how they should participate. They might make mistakes as they try.
The good news is, they don’t need to be convinced. They recognize the value in learning more about security and gaining the necessary competence to help assure it.
Conscious
This group of people will appreciate security risks and their duty to help mitigate those risks. They might have received training, but keeping security top of mind or responding appropriately still takes an extra effort.
They may have to stop and think before getting into a security mindset. It’s also likely they often have to look up security procedures and policies, or revisit guidance on recognizing security threats.
Second-nature
These individuals have such a high level of security awareness that they don’t have to think consciously about staying safe. They immediately recognize threats and know how to respond to them. Avoiding risky activities has become second nature to them. They carry this awareness throughout the day, and possibly even at home.
Your security awareness program will need to accommodate people at different levels of engagement within your organization. New hires, for example, should have security awareness training as part of their onboarding process.
You might also need to implement training for contractors or vendors. In some cases, security training is a requirement for maintaining compliance with some protocols, such as HIPAA and NIST.
What State and Federal Laws Require Awareness Training?
A handful of federal laws mandate security awareness training.
Federal security and cybersecurity awareness requirements are industry-specific, and are often additions to long-standing regulations.
- Electric utilities: The North American Electric Reliability Corp. (NERC) Critical Infrastructure Protection Standard requires quarterly security awareness training for personnel with access to critical cyber assets.
- Federal agencies: The Federal Information Security Modernization Act (FISMA) mandates that all federal employees and contractors undergo annual cybersecurity awareness training.
- Financial institutions: The Gramm-Leach-Bliley Act (GLBA), which determines how financial institutions protect non-public information (NPI), requires annual awareness training.
- Healthcare: The Health Insurance Portability and Accountability Act (HIPAA) requires annual training based on employees’ roles in accordance with FISMA.
- Publicly held companies: The Sarbanes-Oxley Act (SOX) lists security awareness training among activities for maintaining a compliant control environment for information security.
- Credit reporting agencies: The Federal Trade Commission Red Flags Rule requires employee training to prevent identity theft.
Several states also require security awareness training. Other states encourage and provide resources for voluntary security awareness programs. Still more address awareness with some other guidance. Here are a few examples.
- Alabama authorizes cyber training for its executive branch and provides training.
- Connecticut requires cybersecurity awareness for state employees.
- Georgia requires cybersecurity training for executive branch employees.
- Louisiana requires cybersecurity training upon hire and annually for all state employees.
- New Jersey requires annual cybersecurity awareness training for state, county, and municipal employees and certain state contractors.
- Ohio requires and provides cybersecurity awareness training for information system users, including employees, contractors and temporary personnel.
- Pennsylvania requires yearly online security awareness training for all state employees.
- Texas mandates annual cybersecurity training for all state employees. All training programs must be certified by the state.
- Utah mandates cyber training executive branch level state employees.
What Are the Costs of Security Awareness Training?
The benefits of security awareness training far outweigh the costs, but those costs should be considered nonetheless.
Programs should be tailored to the organization, which means there is no “standard cost” an organization should expect. Every business, however, will incur most or all of the following costs:
- Employee planning
- Implementation time
- Software fees
- In-house or vendor administration
- Communications
Again, there is no single correct method to provide training. But costs can be represented in one or more of the following ways:
- A percentage of your overall employee training budget
- A percentage of your overall IT budget
- Allocation per user
- Allocation per user by role (such as security personnel versus general staff)
- An itemized budget among multiple departments
- Specific allocations for each component of the program
- One-time and recurring costs
What Are the Benefits of a Successful Security Awareness Program?
One key benefit of fostering a high level of security awareness is that you will empower your employees to mitigate and respond to risk. It’s likely that they currently undervalue the control they have over their email security and browsing-related risks.
Awareness training also reduces your risk of non-compliance with regulations or protocols that are central to your business. A small team of people can’t replicate the assurance of an entire workforce of trained employees.
Security awareness helps protect assets of every sort. And when it is part of the organizational culture, that level of protection can be maintained even as the threat landscape inevitably evolves.
Do My Employees Need Security Awareness Training?
In a word — yes.
First, security awareness training is critical to risk management in today’s world, no matter what; providing it is just good business. Second, as you work to achieve compliance with various regulatory obligations, you’ll find that most major frameworks require it.
The SANS Institute releases a yearly security awareness report to help businesses take a data-driven approach to their cybersecurity. It highlights the benefit of having security awareness programs run by people with technical backgrounds. They might, however, lack the recognition or skill to communicate information in ways that engage employees effectively.
It’s important to avoid that mistake because engaged, well-trained employees can greatly impact your overall security.
How Do We Demonstrate Security Awareness?
The needs assessment conducted as part of your security awareness program will be useful in determining whether security awareness is improving, and by how much. Personnel should be able to demonstrate security awareness through a mix of qualitative and quantitative feedback.
Qualitative information can come from surveys and interviews. You can also gather insights by observing employees as they engage in awareness activities. Quantitative measurements will include data generated by penetration tests, simulated attacks, and other activities.
PCI DSS requires interviewing a sample of personnel to verify they have completed awareness training and are aware of the importance of cardholder data security, in addition to acknowledging in writing that they’ve completed training. (This is a useful policy for assuring compliance with any major protocol.)
Perhaps the most important demonstration of security awareness is continued improvement in the areas that have been assessed. It is common to show significant improvements in the first six months or year of program implementation, followed by smaller gains. But those smaller gains are usually an indication that your awareness program is filling significant gaps as it matures.
Common Security Awareness Failures
For all the benefits of security awareness training, too many programs fail to make major improvements. The same handful of roadblocks and oversights are usually to blame.
Typical reasons why security awareness fails:
- Insufficient planning of aspects such as costs, evaluation, or communication
- Lack of support from needed executives and managers
- Lack of policies sufficient enough to assure security and underpin training
- Predictable tests that fail to simulate the real-world variety of security threats
- Too broad or too narrow of a scope
- Checkbox mentality that treats awareness as a task, rather than a culture
- Lack of engagement from the workforce
- Ignoring success and failing to use positive results to motivate people
How to Create a Security Awareness Program
Various baseline assessments should occur at the beginning of the program so you can assess impact later. This includes but is not limited to:
- Penetration testing to gauge awareness of social engineering attacks
- Simulated phishing attacks to measure responses
- Measuring click rates and other activities
- Surveying workforce knowledge and attitudes
Security Awareness Program Topics
While a program should fulfill the needs of an organization and its workforce, certain core topics should be addressed.
First, employees need to understand what kinds of materials, processes and environments present potential threats. Tangible assets like hardware, and intangibles like personal data, trade secrets, or classified information should be defined. Personnel should be aware of your policies for handling, transmitting, protecting, storing and destroying such assets.
Employees should also know what risks outside contractors or vendors might pose and any requirements for those people to undergo awareness training themselves. Anybody who deals with vendors should know his or her responsibilities for confidentiality and handling sensitive information.
When discussing policies such as password requirements, incident reporting, and two-factor authentication or limited-time authorizations, employees should learn how these help thwart security problems. Here, clarify concerns unique to insider and outsider threats.
Additionally, do not neglect to emphasize relationships between security and compliance. Clarify any potential civil or criminal liability.
Security breaches damage and destroy organizations every day, and there is no shortage of real-world cases that should be used to illustrate this point. The more people understand the risk—and their power to diminish it—the more effective your awareness training will be.
Key Security Threats to Include in Your Security Awareness Program
Bad actors are constantly innovating and refining their techniques. Here is an up-to-date list of the most common threats and risk areas that every security awareness training program should address.
- Devices: Personal devices used for work, or work-issued devices used for personal purposes, can blur lines and diminish employees’ vigilance when using them, especially off-site.
-
- Malware: How such unauthorized access works, the associated risks, and how unsuspecting employees might be complicit — should all be clear.
- Password safety: Employees must become willing to put safety over convenience.
- Phishing attacks: It’s imperative that you improve people’s ability to spot dangerous emails.
- Social engineering: Awareness means understanding that even sophisticated technology users can be tricked into making a dangerous decision. Explain the psychological effectiveness of scams, phone calls, fake news sites, text messages, and social media.
- Remote work: Social engineering will be a high risk for workers who are used to working on site but have recently gone remote. So will mobile connections, password security, and information control.
- Web browsing: A seemingly innocuous activity, nontechnical employees especially might require extra effort to understand its risks and your organization’s related policies.
- Vishing: The prevalence of potential manipulation via phone call might escape many people’s understanding of security. Some trainings include text, chat, and direct messages as vishing.
Critical Components of a Security Awareness Program
- Risk assessment: Identify the highest risk assets and employees.
- Measurement: Awareness can and should be measured. Initial assessments can help you understand the unique needs for your security awareness program. Ongoing assessment helps you assure those needs are being met.
- Testing: You may want to consider employing a provider to test your organization with custom phishing tests continually.
- Role-specific information: People should be able to identify quickly what information is pertinent to their roles and needs.
- Flexibility: Individuals’ awareness will be affected by their stage of involvement with your organization or their role. It will also evolve as things change within your company, or in the threat landscape.
- Communication plan: How will everyone remain abreast of the threats, policies, and resources?
- Data and reporting: Be clear on how well you are anticipating and addressing security threats. Data can also tell you about your policies’ effectiveness and how well people are implementing them.
What Are the Layers of Security?
A comprehensive security awareness program should address multiple layers of security. Various models exist. Some emphasize security infrastructure and data transfer, while others present a more holistic view of an organization.
For the purposes of designing a security awareness program, the most important layers include the following:
- Physical security: Access points and hardware
- Perimeter security: Network traffic, monitored by your IT team
- Network security: Includes internet and hardware firewalls
- Endpoint security: All hardware and devices connected to your network from any location
- Application security: Desktop, mobile, and web-based applications and operating systems
- Data security: The information that flows through all layers
- Human Security: All users whether permanent or temporary, their access, permissions, and activities
The Importance of People-Centric Security Awareness
The human element of security cannot be underestimated. No matter how solid your technology solutions, your people will always be a major risk factor. Assure your security awareness program is people-centric by making the following considerations:
- Use fans, not force. You’ll have a much better chance of changing behaviors when you focus on business and personal benefits instead of requirements.
- Share information about the current state of security, such as recent attacks and mistakes. (But don’t single anyone out.)
- Vary penetration testing so that it doesn’t become predictable.
- Make sure to have a solid Incident Response Program so people can take action quickly as their awareness increases.
- Make training interactive. Self-paced modules should only be part of the training.
- Celebrate wins. Security awareness training will improve security in measurable ways; use that data to tell the positive story of everyone’s concerted efforts.
Security Awareness Compliance Requirements
Security awareness requirements vary. Some place more emphasis on elements such as information security, training content or cybersecurity. Some elements, however, are consistent across frameworks. Each major compliance framework requires some form of the following:
- Formal security awareness training
- Explanations of the proper rules of behavior
- Accessible supporting documentation
Here is an overview of the specific security awareness guidelines from the major frameworks. Links will take you to where you can view or learn more about each standard. Additional solutions for compliance will enhance your awareness program.
- COBIT (ISACA) DSS05.01
- Conduct regular physical information security awareness training.
- Communicate malicious software awareness and enforce prevention procedures and responsibilities.
- Conduct periodic training about malware in email and Internet usage.
- Train users to not open, but report, suspicious emails and to not install shared or unapproved software.
- Regularly review and evaluate information on new potential threats
- Establish procedures to govern the receipt, use, removal and disposal of sensitive documents and output devices into, within, and outside of the enterprise.
- FISMA U.S.C. § 3544.(b).(4).(A),(B)
- Implement security awareness training to inform personnel, contractors and other users of information systems that support the operations and assets of the agency.
- People must know the security risks associated with their activities and their responsibilities in complying with agency policies and procedures designed to reduce these risks.
- GDPR Article 39(1)(b)
- Data Protection Officers must “have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.”
- They are tasked with awareness-raising and training of staff involved in processing operations, and the related audits
- They must assign responsibilities and monitor compliance with GDPR, European Union and member state data protection provisions, and other policies.
- HIPAA
- Organizations and their associates must implement a security awareness and training program for all members of their workforce, including management (45 CFR § 164.308(a)(5)).
- All members of the workforce must be trained on policies and procedures related to protected health information as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. (HIPAA Privacy Rule, 45 CFR § 164.530(b)(1))
- ISO 27001/27002 Requirement 8.2.2
- All employees of the organization and relevant contractors and third-party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as needed for their job function.
- NIST
- NIST highlights security awareness and training as a core component of the protect function of the cybersecurity framework.
- In its detailed guidance on how to build and IT and security awareness training program, NIST emphasizes security awareness and training should be focused on the organization’s entire user population
- PCI DSS 3.2 Requirement 12.6
- Implement a formal security awareness program to improve security knowledge and awareness and to model appropriate security behaviors to personnel
- Provide and verify employee PCI security awareness training upon hire and at least once a year.
- Establish and maintain a policy that addresses information security for all personnel.
- SOC 2 – 2.2
- Communicate information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program.
Security Awareness Training Versus Policy
Keep in mind the distinction between training and policy. Your policies will ensure security, consistency, and compliance. Those should be determined and codified, creating the basis for your training. Training is the formal education you provide to your workforce to ensure they understand the policy and important context surrounding it.
How Effective is Security Awareness Training?
Security awareness training can be highly effective. One single (and highly important) data point is click-through rates on simulated phishing attacks. That can show just how much difference training can make.
Studies show that the more training employees receive, the lower the click through rate will drop. After a year of training, the click-through rate on phishing simulations can drop by 70 percent. Other data show effectiveness as high as 98 percent.
Best Practices for Security Awareness
With a security awareness training program as the anchor, best practices help ensure ongoing compliance.
Do a needs assessment.
A baseline understanding of the existing level of security awareness among employees will help you determine KPIs that meet your organization’s needs. It will help you understand the biggest human risks, as well as how best to deliver your program. Key personnel should be involved in creating this step.
Check out competitors.
Knowing how competitors have invested in security awareness can inform your efforts and help you make the case to others in your organization, especially leadership.
Develop a strategy.
Because security awareness must become integral to your organizational culture, it should be strategized as well as any other business decision. Convincing management or executive buy-in and resource allocation may need to be part of your strategy (the needs assessment can help with this).
Communicate the plan.
People will get on board more easily if they know what to expect. Everyone must understand your security awareness program’s goals and benefits and their own responsibilities and time commitments. Managers might also appreciate clarity about how the program will or will not impact their respective budgets.
Use marketing techniques.
Buy-in is so important that ISACA developed a guide to using marketing techniques. These include creating customer personas and analyzing purchase intentions, which can help you “sell” security awareness and training to your workforce. Your internal communication team can help.
Identify advocates.
No single person can implement a security awareness program. Advocates can help motivate adoption of security best practices. They can come from a diverse group including executives, technical staff and other workers.
How the Coronavirus Pandemic Affects Security Awareness
The COVID-19 pandemic has had an effect on security awareness that will last beyond the emergency stage. You might be among the many who have to consider how to implement a remote security initiative with a significant part of your workforce working from home or public areas.
Employees will need guidance on how to secure their home Wi-Fi networks. Additionally, they will need to know how to mitigate risk when using networks in public places. They might also be contending with family or guests in their work environment, requiring specific guidance on how others might affect the security of their work.
SANS recommends creating a community or forum for asking questions and reporting incidents. This may be particularly useful when the on-site and remote populations shift in response to pandemics or other emergencies.
Additional areas of increased concern in the pandemic era include:
- Secure video conferencing
- Remote device security
- Social engineering via social media and apps
Tips for Implementation
- Sufficient staffing is key to successful implementation.
- Research has shown that many full-time employees dedicated to security awareness correlate with greater program success.
- Leadership support is also critical to successful implementation. Advocacy is even better.
- Because security awareness is essentially an issue of change management, leaders must be visible at the forefront of the cultural shift. SANS recommends you dedicate at least four hours each month to collect and communicate the impact of your awareness program on your leadership.
How Can I Audit Our Company for Security Training Effectiveness?
Any audit of your security training should be built from an initial benchmark of awareness and competence levels as described above. SANS has a similar five-tier Security Awareness Maturity Model that includes an additional final metric, the existence of a robust metrics framework.
Duties like assessments can be done in collaboration with other departments, or outsourced to marketing or research agencies.
Because communication is integral to your security awareness program, any related internal audit results should be shared with appropriate parties. A streamlined process for real-time reporting enables ongoing communication about your program and its impacts.
Software Support for Security Awareness
Knowing security awareness is an ongoing need, how can you be sure you’re keeping your organization safe and staying compliant? Any tool you choose to help manage your security awareness program will be most effective and valuable if it helps you do things like:
- Automate critical processes
- Quickly pull real-time compliance reports
- Get a clear picture risk across frameworks
- Align security awareness with business objectives
- Increase visibility to address gaps and respond to incidents
The Zen GRC platform performs all these tasks in support of your security awareness program. Automation leaves you free to implement and monitor security awareness training while eliminating compliance worries. Most importantly, it enhances your ability to understand and communicate your organization’s security status, and use a data-driven approach to constantly improve your security program.