The Importance of Security Awareness Training
By Lori Dâ€™Errico, Technical Infrastructure and IS Security Manager, Beacon Mutual Insurance Company (Rhode Island)
Computer security and the required protections have almost always been considered the Information Systems departmentâ€™s responsibility. Components of a good security defense would include antivirus software, firewalls, anti-spyware programs, complex passwords, and intrusion detection, as well as many other measures. Implementing these hardware and software solutions to protect the companyâ€™s assets and its employees have typically been thought of as the best methods for ensuring that a companyâ€™s data remains secure and safe from hacktivists and cyber-criminals. It is only recently that most companies have begun addressing the bigger concern to the protection of their assets: their employees.
Computer security protections will always be required, but implementing security awareness training to educate employees on what to look out for, what to be aware of, and how to respond are equally important. At this point, it is safe to bet that most companies have experienced an attack or heard about a scam where W-2 data or other confidential information was provided to a criminal by a well-intentioned employee. These attacks are done through phishing emails. Such emails are designed to look legitimate, and without proper training in what to look for, an employee could easily click on a link or open an attachment without knowing that behind the scenes, that act initiated a compromise of the companyâ€™s computer and possibly its network. These phishing attacks are very sophisticated and can be designed to target individuals within a company. Hardware and software security implementations alone will not protect a company from an employee unintentionally sharing confidential information. To address this type of threat, education and awareness are important.
Employees need to be provided with cybersecurity training so they know what is expected of them, and then tested to ensure such training is effective. The bonus to employees is that this training will apply outside of work; the same phishing attacks targeting the workplace are also targeting consumers. The attacks are ever increasing, and educating employees is a good line of defense that will lead to a well-informed workforce.
Security awareness training should be ongoing to educate employees and keep the companyâ€™s information security policy in the forefront of their day-to-day work. If the security program performs training only once a year, it will not address new threats. Performing periodic training and testing will keep computer security in focus and help employees stay aware of changes in the security threat landscape. In the last 10 years, microlearning--the practice of delivering small bits of learning content over short periods of time--has become one of the most effective methods of training employees. The content is more likely to be retained, and the time requirements have minimal impact to the individualsâ€™ required work. More companies are providing this method of cybersecurity training, where an employee is educated about a threat, then tested to see if they can apply what they learned.
Companies can chose to perform the training themselves or utilize a vendor experienced in security awareness training. A companyâ€™s investment in security awareness training can only help to strengthen its security posture.