What is security awareness training?

What is security awareness training and why is it important?

As organizations embrace technology more deeply in the age of hybrid work environments and cloud computing work platforms, employees face more security threats, such as phishing expeditions, business email compromise, ransomware and different types of malware attacks.

There isn’t an organization that’s immune to online attacks. As stated in the 2018 Malwarebytes, the year of the data breach blog, the list of companies hacked by cybercriminals reads like a list of the most renowned tech companies, retailers, and hospitality providers.

However, many of these companies have the resources to recover from a cybersecurity attack, despite the hit to reputation, business relationships, and resources. But what about small to medium-sized businesses?

News of a small to medium-sized organization closing permanently after a data breach, ransomware strike, or some other form of online attack regularly makes the headlines. In fact, as stated in our small business ransomware protection guide, most small businesses shut down within six months of a cyber attack.

It’s not surprising that a significant portion of these attacks occur due to employee error. It’s often easier for a threat actor to manipulate human behavior with a phishing email than rely on hacking tools because most employees aren’t trained to manage attacks. And with the rise of AI chatbots, scammers can design compelling phishing emails even if writing isn’t their strongest suit.

Good security awareness training can create an essential first cybersecurity barrier around your organization. In modern organizations, every employee at every endpoint is like a doorway to the company. Cybersecurity awareness training alongside tools like Endpoint Detection and Response mechanisms helps keep these doorways secure.

Read this in-depth guide for more on:

1. What is security awareness training?
2. Benefits of security awareness training.
3. What topics should be included in security education and training?

What is security awareness training?

Security awareness training is the process of educating people about the different kinds of cybersecurity threats that impact accounts, devices, systems, and networks, and how to manage them. Organizations invest in security awareness training to mitigate the risk of data breaches, identity theft, industrial espionage, sabotage, and financial crimes. Security awareness training also helps companies stay compliant with privacy laws.

There are many different ways to deliver security awareness training, such as seminars by security consultants, online courses, interactive quizzes, and attack simulations. Professionals in organizations who benefit from security awareness training include entry-level employees, accounting and HR departments, and executives. But security awareness training is also beneficial for sole proprietors, freelancers, and anyone else who values online privacy.

Why is security awareness training important?

So, why is security awareness training important? It all boils down to two factors: cost and employees. According to the Cost of a data breach 2022 report by IBM, the average cost of a data breach in the United States is as high as $9.44M. The global average cost is $4.35M. With a significant number of data breaches resulting from human error, security awareness training is a cost-effective way to meaningfully harden your defenses and protect intellectual property, personally identifiable information, account passwords, and other sensitive data.

In addition to teaching people how to manage online threats, training helps develop a company culture where employees take responsibility for their actions. Security training reduces the risk of cybersecurity breaches impacting productivity, reputation, and relationships, and hence helps maintain company morale and culture.

Finally, security awareness training can help organizations stay compliant with privacy regulations. Laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and the General Data Protection Regulation (GDPR) regulate how organizations manage data.

Benefits of security awareness training

1. Literacy: Training develops the right culture of responsibility.
2. Defense: With threats growing more varied and sophisticated, security awareness training can help prevent data breaches, phishing attacks, and malware infections.
3. Confidence: Employees are more likely to feel confident managing emails and devices with cybersecurity training. Business partners and clients are more likely to trust an organization that reduces its attack surface by investing in training.
4. Compliance: Cybersecurity awareness training helps an organization stay compliant with regulations.
5. Operations: With security awareness training mitigating the risk of an attack, organizations have less downtime and can stay focused on output that generates revenue.
6. sp;     Cost savings: Investing in cybersecurity training may help an organization avoid costs down the road, such as recovery. Additionally, organizations facing a shortage in skilled IT staff can reduce pressure on their security teams by rolling out security awareness programs.

How to execute a successful awareness training program that resonates and educates

Educating employees who lack interest in cybersecurity and already have full workloads isn’t a straightforward task. Designing a security awareness training program that resonates with employees is essential. Here are some steps that can help execute an effective security training program:

Customize the program to make it relevant to the roles, responsibilities, and industries of your employees. For example, instead of a generic program for hospital staff, train them in scenarios that real healthcare professionals experience.

1. Ensure that the program is engaging and interactive by including puzzles and quizzes.
2. The material should be thorough but easy to understand.
3. Your program should survey employees to gauge its efficacy.
4. Update the program so it's relevant. For example, rather than viruses, your employees should be concerned about phishing attacks and ransomware.
5. Mix it up by utilizing multiple formats like webinars and in-person sessions.
6. Ensure that every step of your organization is involved in training, from grassroots employees to senior executives.
7. Run tests to challenge employees, engage with them, and identify weak links. A phishing test simulation is an excellent tool for evaluating knowledge.
8. Training doesn’t end after one session. Awareness programs must be varied, updated, and ongoing to keep your staff sharp.
9. sp;     Security awareness training should be mandatory throughout the organization. Not only does mandatory training ensure that everyone is up to date, but it shows that your company is serious about cybersecurity.

For some professional insights, please read Making better cybersecurity training: Q&A with Malwarebytes expert Kelsey Prichard on Malwarebytes Labs.

Main areas in security awareness training: Security awareness training topics to cover

Web [H3]

There are several threats on the web that can compromise security like unsafe websites, infected downloads, and malware. Organizations with loose BYOD policies may be more susceptible to malicious elements on the web. Employees should always arm their devices with antivirus software and browser security extensions. They should also steer clear of websites that:

2. Don’t have secure connections via HTTPS.
3. Spoof URLs to appear legitimate.
4. Exhibit signs of being compromised.
5. Unnecessarily demand private information.
6. Manipulate visitors with threats, warnings, or unrealistic offers.
7. Launch from unsolicited links.
8. Use malvertising or drive-by downloads.

Email [H3]

Attackers can deliver malware and scam messages through email. They can also use a compromised email account to initiate the following types of attacks:

4. Ransomware
5. Business email compromise (BEC)
6. Spear-phishing
7. Whaling
8. And more

Staff should be trained to spot social engineering attacks on emails. They must learn to handle potentially malicious attachments. And they must know how email spoofing attacks work.

Phishing

Phishing is a commonly used attack vector against organizations. Phishing messages appear legitimate but are fraudulent and designed to induce victims into making cybersecurity mistakes, such as opening an unsafe link or revealing a password to a company account. Security awareness training, which includes anti-phishing testing exercises, can educate employees about these attacks.

Passwords and password management

With hackers using brute force attacks to break weak passwords in seconds, organizations must set strong password policies as part of cybersecurity awareness training for employees. Every member of an organization must learn how to create a strong password during the security education training and awareness program. They should also be encouraged to change passwords regularly. After all, even the most complex password is useless if it’s stolen. Of course, a good manager for passwords can help them maintain their login credentials.

Insider threats

Good security training can help defend an organization from insider threats, such as industrial spies, state-sponsored agents, malicious contractors, or employees who are unintentionally causing harm. Insider threats can be responsible for supply chain attacks, intellectual property threats, data breaches, or malware attacks.

Members of an organization can be taught to identify the signs of an insider threat, such as suspicious activity, and how to report the threat safely and privately. Security teams should be trained to limit access to confidential data and systems and monitor networks for unusual activity. 

Social engineering

Attackers are using psychology to gain sensitive information or access company systems. However, they can be stopped with security awareness education that focuses on common social engineering tactics.

Here are some examples:

3. Phishing: Emails designed to gain usernames, passwords, and other sensitive information.
4. Spear-phishing: Phishing attacks that target a specific person or a group, like the accounting desk.
5. Whaling: Phishing attacks that target executives like CEOs.
6. Smishing: Phishing messages that utilize SMS (Short Message Service) as an attack vector.
7. Vishing: Scam phone calls.
8. Water holing: What is a watering hole attack? It’s a website compromised by hackers to attack specific targets.
9. Baiting: Attacks that bait victims with a thumb drive or a link to a software upgrade.
10. Tailgating: When threat actors gain unauthorized physical access to an organization by following an authorized party through a secure entry.
11. Pretexting: Elaborate scams where attackers create fictional scenarios to gain a victim’s confidence.
12. Honeytrap: A type of pretexting attack where an attacker pretends to be a romantic interest.

Mobile

Modern mobile devices are no longer simple machines that can only make phone calls or send text messages. A smartphone is a highly sophisticated device that can exchange emails, browse the Internet, take pictures, record sound, and download files.

Threat actors can use an employee’s mobile device in several ways to attack an organization. For example, they can hack it with spyware to steal secrets. They can snoop on the mobile device user through an unsecured network. Or they can simply steal the device and engage in malicious activity.

Cybersecurity awareness training for employees with mobile devices should cover:

1. Biometric security.
2. Strong PIN or passcodes.
3. Data encryption.
4. Managing lost or stolen devices.
5. Remote wipe.
6. Mobile device threat recognition.
7. Dangers of public WiFi and other unsecured networks.
8. Incident reporting.

Malware

Malware is an umbrella term for malicious software, and it can cover any threatening software, from a virus to a Trojan. Yet most people use the terms “virus” and “malware” interchangeably. Viruses are less of a threat than more sophisticated types of malware that can steal sensitive information or hijack systems.

Learning about the different kinds of malware that hackers use to attack organizations can help employees spot threats, the symptoms of an infection, and how to manage a malware attack such as ransomware, spyware, keylogger, worm, or a Trojan.

Security awareness training can also help people learn about the common malware infection vectors:

2. ZIP files.
3. RAR files.
4. Macro-enabled documents.
5. .EXE files

Such infections may be delivered via attack vectors like malicious emails, websites, links, and thumb drives.

Compliance

Training should cover security legislation. For example, employees in Canada should know about PIPEDA, while employees in Europe must know about GDPR. Learning about local compliance laws can help staff understand the finer points of privacy laws and how to handle PII. Staying compliant with regulations helps organizations avoid heavy fines, civil action, and reputational damage.

Data

In addition to helping organizations comply with data protection laws, data security training can prevent sensitive information about employees, clients, and stakeholders from leaking. In addition to learning about password security, malware, and social engineering, employees must learn about the following as part of data security training:

0. Local compliance laws.
1. Device security.
2. Physical security.
3. Network security.
4. Data management.
5. Incident response.
6. Incident reporting.
7. Data classification.
8. Secure data destruction.

Privacy

Employees must also know how to identify, manage, and protect sensitive information. They should also be trained to use cybersecurity tools that protect private information from hackers and malware. For example, remote working staff must avoid using public WiFi or sharing data over unsecured channels. In addition, they should know how to use a corporate VPN (Virtual Private Network).

So, how does a VPN work, and why should it be covered in end-user security awareness training? In layman’s terms, a VPN is a technology that establishes a private and secure connection to the Internet. Any data transmitted from an endpoint, like a remote worker’s laptop to a corporate network, is encrypted and unreadable to an eavesdropper.

CEO and wire fraud

Executives such as CEOs, CFOs, and others must never be overlooked in security awareness training. High-level targets can be manipulated in business email compromise, whaling, spear-phishing, vishing, smishing, and other types of scams. Executives should be trained to recognize threats and verify sensitive requests.

Environmental

With the focus on cybersecurity threats, organizations must not forget about localized threats like insiders, tailgating, and even baiting. Security teams must be trained to utilize CCTV cameras and ID cards to optimize security. Access control to data must be strictly set on a need-to-know basis.

Employees must never open random media such as CDs, DVDs, or thumb drives on company computers as they may carry malware. A clear chain of custody for sensitive documents must be established in the security training protocols.

Security awareness training tools and resources

There are several different types of security tools and resources an organization can utilize for awareness training. Low-cost measures include training videos, newsletters, and emails. More effective measures include modules, seminars, and simulations.

Related articles

• Malwarebytes Ransomware Review August 2022
• 5 Essential security tips for small businesses
• White paper: Malwarebytes best-informed telemetry: Unmatched threat visibility

• Gang arrested for SIM-swapping celebrities, stealing $100 million

• What is password manager?