Try for Free
Demo Centre
Micke Ahola

Micke Ahola

Follow:

The 2020 Guide to Security Awareness Training

Security awareness training is essential for mitigating human error - the cause behind most cyber breaches faced by businesses. Read our guide to learn how to perform training for your end users, what topics to include, and how to ensure training is truly effective in improving security outcomes.

This blog is a condensed version of our Complete Guide to Security Awareness Training, available for download in our Resource Centre.

Contents

1. What is security awareness training?

2. Can't technical solutions stop breaches?

3. How to address human error?

4. What's the best format for security awareness training?

5. How to make security awareness training truly effective?

6. What topics should security awareness training cover?

7. Why training has to be part of a security culture

8. Securing your business from the human cyber threat in 2020

What is security awareness training?

Security awareness training is the education of end users on security principles and best practice. It is essential that any user with access to your organisation's computers, devices, systems or data has an understanding of security concepts, as any user can potentially create an unintended breach or allow unauthorised access to occur if they don't know how to appropriately protect your business.

SAT 2020 CTA Blog Image

Get the complete guide

Download the full usecure 2020 guide to security awareness training now, and read it at your convenience. Enter your work email address below to access your PDF copy.

Can't technical solutions stop breaches?

Anti-malware and breach detection software are an important part of the security toolkit. Multi-factor authentication and password managers play an important role in reducing the chance for human error. The facts, however, remain the same: as long as your end users have access to your company's systems, devices and data, they can expose them through accident or social engineering no matter how many technical solutions you have in place. If a cyber criminal dupes your employees into giving up their passwords or making payments into the wrong bank account, there's nothing that antivirus can do to stop it. 

How to address human error?

Mitigating human error has to be at the core of your security strategy, but it is important that you address it in an effective way. Let's first take a look at what causes human error in the first place. 

Two factors have to be present in order for human error to manifest: opportunity and decision. Opportunity means that there is a situation where a human is allowed to make a mistake: for example, letting end users handle software updates rather than forcing security updates through with patch management. Decision is the action of the individual: in this case, the lack of action in installing security updates when they are available. 

A comprehensive mitigation effort includes both reducing the opportunity for error as well as improving the decisions made on the part of the end users. Taking action in both areas is essential to ensure that human error is thoroughly addressed. In the case of patching, for example, a technical measure such as introducing patch management may reduce the opportunity for human error to a minimum in most cases - but it is still essential to account for situations where the technical solutions has a temporary lapse, or if a new situation such as a BYOD policy where users are allowed to use their own devices without patch management is introduced. In other cases, such as with phishing emails, technical measures such as spam filters and breach detection software have a very limited effect in reducing opportunity for error when faced with a targeted attack. In those cases, the only effective way to mitigate human error is by using security awareness training to help your users make better decisions.

What’s the best format for security awareness training?

Security awareness training isn’t all one and the same. The way in which training is performed, structured and presented will have a major effect on its effectiveness in genuinely improving security outcomes in your organisation. In this section, we’ll take a look at what exactly is the best way to perform security awareness training for your end users.

Why old-school training failed

Security awareness training used to mean making end users sit through an annual sessions consisting of hours of lectures and slideshows. The idea was that users would remember something of what they saw and heard - and in the worst case scenario at least the box for ‘educating users’ could be ticked. How did it far in actually improving security outcomes though? It didn’t work, and everyone hated it. 

There are a number of reasons why this type of annual lecture-based training isn’t effective. The first of these is that in an annual training session, there will simply be too much information at once for any employee to digest and remember. Even if users are given learning material to take with them or are sent occasional reminders, chances are that most of the material in the training session will go in through one ear and out the other, and forgotten in mere moments.

Lectures and slideshows are not entertaining or engaging formats for end users to learn from. They fail to raise the interest of employees in the same way that video and interactive content do, and too often are filled with unnecessary information that isn’t relevant to every end user. Slides filled to the brim with small text are sure to make any employee fall asleep halfway through the session.

The final, major reason why traditional training isn’t effective is that it doesn’t make use of learning through repetition. If there is a year between learning sessions, users simply won’t remember what they’ve learned - and awareness of security issues in general will plummet in the days and weeks after training. Security can’t be a one-time thing, but must be year round in order to be effective.

Security awareness training has increasingly shifted to online software-as-a-service solutions. Cloud-based training offers some immediate benefits over traditional methods, but isn’t necessarily the ultimate answer to security awareness unless it delivers in certain areas that are essential for genuinely improving security outcomes.

SAT 2020 CTA Blog Image

Get the complete guide

Download the full usecure 2020 guide to security awareness training now, and read it at your convenience. Enter your work email address below to access your PDF copy.

How to make training truly effective

Having a truly effective security awareness training program is possible - but there are some important criteria you need to follow to genuinely engage your users. 

Breaking down material

There is a limited amount of information that a person can absorb at a time. This is especially true when it deals with topics that most employees won’t have much previous knowledge on. In order for the amount of learning material to not overwhelm end users, it has to be appropriately broken down into segments, each with their own clear, simple message that’s presented to users in an easily-digestible fashion. 

Continuous learning

Another benefit of breaking down learning material is that it allows learning to easily be made continuous, rather than a one-time thing. Breaking down learning into parts allows these sections to be sent out regularly throughout the year, helping keep security awareness consistently on the minds of end users. As repetition is key to learning, this is crucial for ensuring that users actually remember what they’ve been taught. 

Relevant material

Ensuring that learning content is relevant to end users is essential for making sure they stay engaged. When an end user is presented with information that they feel is not relevant to them, they will quickly start losing interest and paying less attention. Learning material needs to not only avoid jargon and technical terms, but be made with real-life situations in mind that the average end user would actually encounter in their day-to-day working life. For example, most employees don’t need to know the specifics of regulations or malware attacks, but simply how to conduct themselves in a manner that reduces those risks - and how to appropriately report risks that they may encounter.

Practical advice

It’s all good and well teaching employees about the risks out there and how they can be countered - but what’s essential is that employees walk away from training with actual steps in mind that they can put to use right away in their daily work activities. Giving employees the chance to put their training to test right away also helps build memory - and can be achieved using tools such as phishing simulation. 

Video and interactive content

Not all content is the same. Text-based content becomes tiresome to users quickly, and should only be used when complemented by visual, more engaging content. Videos are great for keeping users entertained - as long as they are high-quality and enjoyable to watch. Humour can be used to great effect to make security awareness videos more appealing to end users. Interactive content is also great for engaging users. Many people learn by doing - answering questions or otherwise taking part in their learning - and interactive content can also give users a sense of achievement for getting through a course.

Questions and testing

It’s essential that after training sessions users are tested on what they’ve learned. This helps you know that users have learned key points and are walking away having learned something - but also helps the learning process of users as they recollect the information they have just learned from their own memory.

A part of a security culture

The most essential part of a security awareness training programme’s effectiveness, however, has as much to do with factors outside the training as the training itself. In order for training to be effective, it has to be a part of a security culture where security is always given the consideration it needs, and users are actively encouraged to bring up concerns and ask questions. A good security awareness programme contributes to this by presenting security as something that is continuous and active, rather than one-time and passive - but it is essential that the organisation supports this effort outside training as well. 

What topics should security awareness training include?

It's important that all end users are educated in the core security topics. Depending on the job duties of end users they may also require or benefit from training in additional topics, or a more advanced training in the core topics. For example, an employee working with payment card details will require PCI DSS training, whereas an employee who regularly goes on business trips will benefit from additional public Wi-Fi and mobile device training. 

The core security awareness training topics are:

  1. Internet & Email Use
  2. Removable Media
  3. Passwords & Authentication
  4. Physical Security
  5. Mobile Device Security
  6. Working Remotely
  7. Public Wi-Fi
  8. Cloud Security
  9. Social Media Use
  10. Phishing
  11. Social engineering
  12. Security at Home

Why training has to become part of a security culture

Security awareness training will not be effective in improving security outcomes if it is not accompanied by cultural change. Comprehensive training will teach end users how to recognise situations where security is at risk and how to deal with them appropriately - but this knowledge is not going to be put into practice unless the user feels that security is valued in their culture.

With the growing number of threats present, as well as the increasing complexity of business services and access to data and systems from mobile devices, it is impossible to know where the next threat or accidental leak to your business might appear. This is why security shouldn’t be about ensuring that your end users choose strong passwords or follow other specific steps - but rather about empowering them to be active guardians of your business, its systems, devices and data.

SAT 2020 CTA Blog Image

Get the complete guide

Download the full usecure 2020 guide to security awareness training now, and read it at your convenience. Enter your work email address below to access your PDF copy.

Securing your business from the human cyber threat in 2020

In 2020, the organisations that will most effectively overcome the cyber threat are those that help to ensure their employees care - about the business, the customers, and protecting data and systems. 

Security awareness training works when end users are truly engaged. This requires learning material to be truly relevant to the day-to-day working lives of your employees, providing practical advice they can take with them right away, as well as using video- and interactive content to help users stay interested and convey information in an enjoyable format.

Security awareness training isn’t a silver bullet. It works best in compliment with solutions that reduce the opportunity for human error in the first place. These measures should form a part of a security culture, where security considerations are always given due consideration. Business decisions shouldn’t be made only for security implications to be considered afterwards - but security should form a part of decision-making in the first place.

Read next