Special offer 

Jumpstart your hiring with a $75 credit to sponsor your first job.*

Sponsored Jobs are 2.6x times faster to first hire than non-sponsored jobs.**
  • Attract the talent you’re looking for
  • Get more visibility in search results
  • Appear to more candidates longer

Why Companies Need Security Awareness Training and What It Should Accomplish

In the United States, the average cost of a data breach is $9.05 million. The health care industry experiences the costliest breaches at an average of $9.23 million each. These statistics, coupled with the fact that between 85 and 90% of data breaches are caused by human error, should scare any business into closing that dangerous gap. One of the easiest ways to maintain a strong posture against these growing threats is with a comprehensive security awareness training program.

Post a Job
Create a Culture of Innovation
Download our free step-by-step guide for encouraging healthy risk-taking
Get the Guide

What is security awareness training?

Information security awareness training is an organizational program whose goal is to empower employees to protect the company’s data through mindful security engagement. This includes understanding internet use, remote access and other compliance policies that can put the network at risk of cyber attacks. While human error is the weakest link when it comes to causing data breaches, it also offers the greatest opportunity for strengthening the company’s first line of defense.

Why employees need security awareness training

The number of devices used for personal and business communication can blur the lines of security and cause regular lapses in protocol. Additionally, the growth of remote work requires special social engineering training that addresses the need for fortifying home networks.

Back in the old days, security awareness training was a half-day PowerPoint presentation with a certificate of completion at the end. Unfortunately, that didn’t cut it then, and it’s far less effective now. Training now has to successfully take employees through the four stages of competence:

  1. Unconscious incompetence: This is a level of profound unawareness where employees don’t know what they don’t know. As a result, their behavior is far more careless than desirable.
  2. Conscious incompetence: Employees know that they don’t know something and realize they lack the tools needed to bridge the gap. This is the stage employees were sometimes left at even after they went through old-school training.
  3. Conscious competence: With access to information, employees consciously weigh their options to come to good conclusions.
  4. Unconscious competence: Pattern-based behavior creates the kind of muscle memory that lets employees know something so well they don’t have to think about it.

Level 4, unconscious competence, is the ultimate goal of security awareness training for employees. Reaching this diminishes the likelihood of human error, leading to better protection.

Training topics that must be covered

For training to be effective, programs need to cover a variety of issues. Depending on a company’s objectives, these topics may include:

  • Phishing awareness: Employees can better recognize phishing email messages by showing what can possibly happen when they’re opened.
  • Vishing: Manipulation via text, chat or direct messages.
  • Insider threats: Whether it’s someone within the organization or an outsider posing as an insider, these threats can be identified with the right training.
  • Password security: In 2021, 62% of workers share passwords via email and text message, while 57% write them down on sticky notes. These kinds of behaviors lead to breaches.
  • CEO/wire fraud: Impersonating CEOs is a type of spear-phishing email attack. Fraudsters use the CEO’s email account to trick employees, making it difficult to spot.
  • Data in motion: There are many instances when employees may send company documents to a home email account or copy others via email when they shouldn’t.
  • Office hygiene: Keeping proprietary information in an open location or failing to lock a console when away are examples of security risks that need to be addressed.

Security isn’t just about protecting your business. It’s also about being vigilant about keeping your connection with customers, buyers and partners secure through regulatory frameworks such as HIPAA, SOC 2 and PCI DSS.

Developing your security awareness training program

Despite the best efforts, some security awareness training programs failed, because they weren’t properly planned and wound up costing more than expected. This may cause executives and managers to withdraw their support or throw up barriers against the training. In other cases, the modules were too narrow or broad in scope with predictable tests that failed to live up to real, modern threat standards. A lack of engagement from employees who don’t feel motivated to follow through with the training is another concern.

When developing your training program, the objective is to make the process effective and as fun as possible. This involves not just relying on structured training, but also using videos and games as well as email content.

To create an effective program, a good ratio to remember is 70/20/10:

  • 70% experiential means that employees are learning about workforce security on the job and within the culture. They get to see how awareness works in real life.
  • 20% informal learning means watching videos and utilizing collaboration. This is about providing information employees will need when they’re looking for it.
  • 10% formal is the structured learning available through live or LMS training courses.

Having employees glued to their seats for half a day is ineffective. Creating training programs with smaller, more digestible chunks that take advantage of the fact that humans respond well to storytelling and repetition are considered a better, more effective investment.

5 key components of a successful security awareness training program

Your company can increase its implementation of information security awareness training in an effort to fight the onslaught of malware and ransomware attacks that seem to be on the rise. Whether you choose to create a program in-house or hire a vendor, these are what to look for:

  1. Short and continuous: Programs need to package learning in modules that are under 10 minutes in length. Employees can interact with the course daily or weekly, but it’s those short continuous doses of learning that keep them engaged and updated.
  2. Real-world testing: Because security is constantly evolving, programs need to be tested periodically with real-world scenarios to keep them fresh and relevant. Training that’s updated quarterly or semiannually ensures that knowledge is up-to-date.
  3. Predictive scoring: As employees go through their testing scenarios, it’s a good idea to integrate risk scoring. Not only will this provide a look at how the company is doing overall, it will also tell managers which employees may need additional training or one-on-one coaching.
  4. Individually focused: One-size-fits-all doesn’t apply here. Some employees need extra or more direct attention because of behaviors identified by the tests. A successful training program is customizable and focused on the individual so the weakest links can be identified and fixed.
  5. Make sure it’s entertaining: Entertaining training programs engage the emotions and create a favorable environment for better information absorption. It’s easier to remember content that’s light and funny than something that’s dry.

Dealing with management objections and pushback

Implementing a training program may incur some management pushback for any number of reasons, and dealing with those objections requires patience, persistence and strategy.

  • Understand their reasoning: As important as security awareness training is to the company’s well-being, there may be individuals in upper management who don’t care about security in the same way. Find out what results they’re looking for and use their context to frame your argument
  • Prioritize contextual communication: When presenting data to managers and executives, it’s best to be explicit about the numbers so nothing is left open to interpretation. All of your statistics and charts need to firmly support your story and if they have any questions, make sure you can show the clear connection between the program and metrics, such as employee productivity and increased resiliency.
  • Use SMARTER Goals: SMARTER stands for specific, measurable, actionable, risky, timely, exciting and relevant. Provide security goals by comparing them to a baseline. This will help managers and executives see how the training program plan is measuring up.

To get more support, do some research on how competitors are investing in their security awareness training and weave that data into your presentation to drive your points home.

Measuring the effectiveness of security awareness training for employees

As you implement training, it’s important to assess how effective it is and adjust it accordingly to yield better results.

A good security training program causes a profound shift in awareness that leads to changes in behavior and an overall shift in the culture. You’ll want to see if the culture and behavior have improved through increased awareness. This involves measuring how people behave in the presence of attacks and their level of confidence in their abilities.

Measuring awareness can be implemented throughout the training program via quizzes and other assessment tools. Behavior changes can be assessed through attack simulations and spot checks combined with incentives. Cultural changes are harder to quantify, but feedback, analysis and surveys taken over time will provide insight into potential micro shifts.

The idea is to use these programs to fuel continuous improvement through the collection of data analyzed from the first day and through different baselines. Programs infused with machine learning and AI may be more effective at taking these measurements, which may give you more food for thought on the type of program you want to implement.

Some industries are subject to state and federal requirements for cyber security training. It’s wise to review any regulations that may pertain to your business to ensure your security awareness training program meets the requirements.

Post a Job
Create a Culture of Innovation
Download our free step-by-step guide for encouraging healthy risk-taking
Get the Guide

Ready to get started?

Post a Job

*Indeed provides this information as a courtesy to users of this site. Please note that we are not your recruiting or legal advisor, we are not responsible for the content of your job descriptions, and none of the information provided herein guarantees performance.

Editorial Guidelines