Security, The Risk of
Human Error...& a Tricky Thing Called Motivation…
Top 10 Considerations
for Truly Effective Security Awareness Training
Even though 52% of breaches are attributed to human error,
security awareness is still quite a new thing for many companies. Well, not that new, there are plenty of
induction packs with sections on data protection responsibilities and if you
are lucky, a presentation or webinar.
However, we all know the threat environment is looming ever-larger and
darker, worse still, it’s constantly changing; so how do you keep your
employees not only knowledgeable about the risks presented each day at their
keyboards but also motivated enough to identify them and to take action?
The reality is that every organisation and its requirements
are different. Whilst there are key
elements, such as phishing campaigns, that should be included as standard to measure
and educate security awareness; an effective strategy needs to tick additional
boxes to create a true change in
security behaviour.
1 Test &
Benchmark
Before you commence security awareness training; find out the truth! I’m afraid you might be shocked, most
companies are. Common click-through
rates from phishing programmes we have delivered for clients have seen
click-through-rates achieve up to 30+%.
When you consider that it can take less than 30 minutes for a threat to
establish itself on your network, just one click could seriously jeopardise
your security.
If the result is the kind of click-through-rates a Marketing
Manager would die for, you would be forgiven for thinking, ‘Well, what’s the
point in testing if it’s likely the so many staff will fall for it? I know we have a problem.’ The benefits of a phishing test are not just
confined to identifying problems and benchmarking for improvement. Utilising the results of an actual, live
example which the trainees received and many of them clicked on, resonates with
staff far more than giving generalised real world examples because they
experienced it. It really could happen
to them. Human behaviour is such that an
individual never wants to jeopardise the tribe, nor do they want to be the
fool.
2 Elements of Testing
– It’s Not Just About Phishing!
There are certain key components to security awareness
testing and training which should form part of a successful campaign but it is
their mode of delivery that makes the difference. Successful campaigns will involve
personalising that message to your company.
This is not about just raising click-through-rates for your security
company to report to you; this is exactly what the cyber criminal will do. They know, that on the other side of the
computer is a person that is ultimately motivated by self-interest. The most effective spear-phishing campaigns
carefully target their prey and learn about them. They will create fake websites and branded
emails and they will learn the name of the manager in the purchasing department
that they want to send their malware-laden ‘invoice’ to. Effective testing and training involves
activating your staff’s self-interest button; coffee and gym vouchers, for
example, have been popular tactics used to test employee resilience.
On a similar note, cyber criminals will exploit another
human trait. Trust. Consider the wider
possibilities for breach, over-and-above email.
Digital social engineering is an obvious culprit but what about physical
social engineering? Security awareness
also comes down to what information is given out over the phone but also who is
allowed into the building. How often do
you check a staff badge closely, or allow someone to follow you through a
secure door?
3 Timing
Consistency is the key to security awareness. Companies undertaking security awareness
training once at induction will not succeed in raising levels of awareness and
staff security. A message delivered once, and in the fog of a lot of other
information, will be lost. The biggest brands know it, they repeat their
message again and again until people at first recognise their message and then
respond. Involve HR & Training and
Internal Communications to enable a consistent programme of messaging and to
keep the profile of security awareness high within the business. This is particularly important where there is
high staff turnover and large customer support departments. The most effective programmes review and re-visit
their training programmes on a regular basis.
4 Training Methods
We have already mentioned how ‘real world’ examples drive
greater awareness and engagement by using results from phishing resilience tests. Again, depending on the structure of the
company, different methods might be more effective, or quicker, with large
numbers of people. Interactive seminars
and/or computer-based training are at their best when followed up by internal
marketing programmes and access to further information covering topics such as
how to identify phishing, or what information not to give out over the phone. Additionally,
security awareness training may need to be adjusted in line with the job role,
e.g. customer services or accounts as opposed to shop floor.
5 Who Holds the Keys
to the Kingdom? – Why Top-Down Training is Essential
Just who does hold the keys to your kingdom? Spear-phishing
is targeted. Board Members, Senior
Managers and their PAs are just as vulnerable as the sales office, in some
cases, more so. Top-down training
instils a security-orientated culture benefiting not only the business but also
its customers.
Next week: check back for Considerations 6-10 !
I am sure it will help many people. Keep up the good work. It's very compelling and I enjoyed browsing the entire blog.
ReplyDeleteBusiness Analytics Course in Bangalore
I bookmarked your website because this site contains valuable information. I am very satisfied with the quality and the presentation of the articles. Thank you so much for saving great things. I am very grateful for this site.
ReplyDeleteData Science Training in Bangalore
I have voiced some of the posts on your website now, and I really like your blogging style. I added it to my list of favorite blogging sites and will be back soon ...
ReplyDeleteDigital Marketing Training in Bangalore
You have done excellent job Thanks a lot and I enjoyed your blog. Great Post.
ReplyDeleteData Science Certification in Hyderabad
Thanks Your post is so cool and this is an extraordinary moving article and If it's not too much trouble share more like that.
ReplyDeleteDigital Marketing Course in Hyderabad
A good blog always contains new and exciting information and as I read it I felt that this blog really has all of these qualities that make a blog.
ReplyDeleteData Science Training in Bangalore
Thanks for posting the best information and the blog is very helpful.
ReplyDeleteArtificial Intelligence Training in Bangalore | Artificial Intelligence Online Training
Python Training in Bangalore | Python Online Training
Data Science Training in Bangalore | Data Science Online Training
Machine Learning Training in Bangalore | Machine Learning Online Training
AWS Training in bangalore | AWS Online Training
UiPath Training in Bangalore | UiPath Online Training
It is a very helpful and very informative blog. I really learned a lot from it thanks for sharing.
ReplyDeleteData Analytics Course
This is an informative and knowledgeable article. therefore, I would like to thank you for your effort in writing this article.
ReplyDeleteBest Digital Marketing Courses in Bangalore
ReplyDeleteExcellent effort to make this blog more wonderful and informative. The information shared was very useful.
Cloud Computing Course Fees in Bangalore
You have done a great job and will definitely dig it and personally recommend to my friends. Thank You.
ReplyDeleteData Science Online Training
I read your excellent blog post. It's a great job. I enjoyed reading your post for the first time, thank you.
ReplyDeleteData Science Institutes in Bangalore
This is really nice which is really cool blog and you have really helped a lot of people who visit the blog and give them useful information.
ReplyDeleteData Science Training in Noida
I was looking for some decent stuff on the subject and have had no luck so far. You just had a new big fan! ...
ReplyDeleteData Scientist Training in Bangalore
I think this is a really good article. You make this information interesting and engaging. Thanks for sharing.
ReplyDeleteData Science Course in India
I finally found a great article here. Quality postings are essential to get visitors to visit the website, that's what this website offers.
ReplyDeleteData Science Training in Jabalpur
Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Thanks for sharing.
ReplyDeleteData Science Training in Indore
Hi, This article is probably where I got the most useful information for my research. Do you know of any other websites on this topic?
ReplyDeleteData Analytics Course in Jalandhar
I am impressed by the information that you have on this blog. It shows how well you understand this subject.
ReplyDeleteMlops Course
It's late discovering this demonstration. At any rate, it's a thing to be acquainted with that there are such occasions exist. I concur with your Blog and I will have returned to investigate it more later on so please keep up your demonstration.https://360digitmg.com/course/data-analytics-using-python-r
ReplyDeleteThis is definitely one of my favorite blogs. Every post published did impress me.
ReplyDeleteData Science Course in Indore
360DigiTMG, the top-rated organisation among the most prestigious industries around the world, is an educational destination for those looking to pursue their dreams around the globe. The company is changing careers of many people through constant improvement, 360DigiTMG provides an outstanding learning experience and distinguishes itself from the pack. 360DigiTMG is a prominent global presence by offering world-class training. Its main office is in India and subsidiaries across Malaysia, USA, East Asia, Australia, Uk, Netherlands, and the Middle East.
ReplyDeleteHello. I found your blog using msn. This is a very well written article. I'll be sure to bookmark it and come back for more useful information. Thanks for the post. I will definitely be back.
ReplyDeleteData Science Training in Bangalore
I curious more interest in some of them hope you will give more information on this topics in your next articles. data science course in mysore
ReplyDeleteI have read your article, it is very informative and useful to me, I admire the valuable information you offer in your articles. Thanks for posting it ...
ReplyDeleteData Science Course in Durgapur
People are impressed with this technology, and the experts have predicted a bright future of data science.
ReplyDeletedata science course in lucknow
It was really awesome and I gain more information from your post. Thank you!
ReplyDeleteVirginia Online Divorce