A solid security awareness training program will drive cybersecurity awareness and instill the importance of protecting an organization and proper cyber hygiene. If implemented correctly, these programs can be crucial in preventing human error and insider threats, as well as help employees understand the role they play in combatting cyberattacks.
In fact, Mimecast research indicates that more than 90% of security breaches involve some degree of human error. A number of studies have found that employees who receive consistent cybersecurity awareness training are five times more likely to spot and avoid clicking on malicious links.
Below, cybersecurity leaders discuss the benefits of implementing a security awareness program that drives change and builds a security-minded culture.
1. Teaches Valuable Security Practices
Sounil Yu, Chief Information Security Officer (CISO) at JupiterOne:
“Cybersecurity training that fits today’s mode of consumption is more engaging. At the present time, that mode is short video clips that draw you into a story that teaches you valuable security principles along the way. In addition, security training needs to be appropriate to the skill level of the individual to whom the training is being delivered. Most security awareness training assumes that everyone is operating at the same skill level. This wouldn’t be acceptable for most other disciplines; however, this seems to be the norm for security training.”
2. Improves Cyber Resiliency
Patrick Harr, Chief Executive Officer (CEO) at SlashNext:
“Cybersecurity training is an important component of good cyber resiliency. While sophisticated phishing, coming from a trusted service, is very hard for humans to identify, training that serves to enhance users’ analytical skills is critical for phishing that makes it through security defenses. A good training program, combined with AI-powered behavioral learning technology, is the right combination needed to stop phishing from impacting your organization.”
3. Mitigates Data Breaches
Darryl MacLeod, vCISO at LARES Consulting:
“For businesses, investing in online cybersecurity training can help to ensure that their employees are up-to-date on the latest threats and trends. This can help to reduce the risk of a data breach or other cyberattacks. For individual IT professionals, online security training can help them to stay ahead of the curve and keep their skills sharp without the need to travel. Many online training centers also offer certification programs that can help IT professionals to stand out from the crowd.
One emerging trend I’ve seen is the use of gamification in security training. Games can be a fun and engaging way to learn about complex topics like cybersecurity. By incorporating game mechanics into security training, learners can develop the skills they need to succeed in the industry.”
4. Layers Best Practices
Bud Broomhead, CEO at Viakoo:
“Security awareness training is a great starting point; however, organizations should build upon it, especially for situations that are unique to them. For example, organizations with IoT devices will need to pay special attention to keeping them on separate networks and keeping their firmware up-to-date with the latest security fixes. In addition to training, organizations of all sizes should have a process to test or audit employees to make sure the security training can be carried through in the actions employees take.”
5. Improves Cybersecurity Posture
Mika Aalto, Co-Founder and CEO at Hoxhunt:
“Taking a risk-based approach to cybersecurity is the best way to sustainably improve your posture against attacks. More than 82% of data breaches contain the human element, mostly email, and yet security awareness and phishing training programs are outdated, compliance-based, and typically constitute only three percent of awareness budgets. Because most attacks start with people, security and risk management strategy must as well. Install the training, processes, and technologies necessary for catching the sophisticated attacks that technical perimeters will always miss, no matter how much money is poured into them.
Automation, adaptive learning, and artificial intelligence/machine learning can help deliver personalized training at scale. Why is that important? Because people need to participate frequently with relevant training that stays at the edge of their skill level in order to improve and stay engaged. A long, dry video followed by a punishment-based phishing simulation has been proven not to work. Fixating on failure leads to failure. Rewarding people as they acquire skills in a dynamic learning environment confers measurable improvement. This approach broadly describes gamification, whose demonstrated success is grounded in established principles of behavioral science and business and will be key to protecting organizations of all sizes in the year ahead.”