- CISO Guides
- 13 min read
As a security leader, you will understand the importance of security awareness training for your employees but sometimes an organisation is so absent of any awareness training, it can be difficult to pinpoint where to start – especially if you are new to the role/organisation.
With Cyber Security Month 2023 around the corner, we wanted to discuss what exactly basic security awareness training entails and what cyber threats and risks you need to include in your rudimentary program to generate a strong foundation to build off.
One of the most important aspects of security awareness training is teaching employees how to protect their identity both in the workplace and personally. This includes principles like not sharing personal information online, managing their digital footprint carefully, using strong passwords to keep professional accounts secure, and being mindful of phishing scams which have boomed in recent years. Consumers worldwide lost $8.8 billion to identity theft in 2022 (Data Prot) and Global Newswire reports that 86% of consumers worldwide have been victims of online identity theft. One way to protect your identity is to use two-factor authentication (2FA) whenever possible, which requires you to provide two forms of identification (such as a password and a fingerprint) to access an account.
Another important aspect of security awareness training is teaching employees how to protect sensitive information. This includes things like not leaving sensitive documents out in the open (clear desk, clear screen), using encryption when sending sensitive information both internally and externally, being mindful of who they share information with and data classification protocols to ensure confidential data never reaches unverified individuals. 41.6M accounts were leaked in the first quarter of 2023 (Surf Shark).
Phishing is the most common form of cyber crime, with several reports estimating that 3.4 billion malicious emails are sent every day (IT Governance). Phishing scams are already common but technology such as deepfaked voices and AI (Artificial Intelligence) language model-backed copy generation has supercharged this cyber threat. In fact, Verizon’s 2023 DBIR (Data Breach Investigations Report) found that 36% of all data breaches involved phishing. As a result, modern phishing campaigns can be exceedingly difficult to spot. That is why it is important to train employees on how to recognise phishing emails and how to respond to them. You can do this with targeted and engaging phishing-based games and simulations that allow employees to test their knowledge in a controlled environment without the fear of reputation and financial damage to themselves or their organisation.
Passwords are the first line of defence against unauthorised access to sensitive information. That is why it is important to train employees on how to create strong passwords and how to use multi-factor authentication (MFA) to further protect their accounts. Because many employees will be digital natives and the rest use passwords in their personal lives daily, behaviours regarding passwords can be lax and/or ignorant in the workplace. For instance, 1 in 4 internet users save their passwords in their web browser, nearly 70% of individuals say they would share their password with a spouse or partner and on average, individuals reuse passwords on 10 of their personal accounts (Norton). It is, therefore, your duty as a security leader to keep strong password security and management in the employee psyche and zeitgeist on a consistent basis. Why? Last Pass data reveals that after receiving some type of cyber security education, 31% of people quit reusing the same password. (LastPass, 2022).
Ransomware is a type of malware that can encrypt your files and demand payment in exchange for a decryption key. We have seen a ransomware resurgence in early 2023, with the number of victims in March (410) nearly double that of last April (208) and 1.6 times higher than the peak month in 2022 (Security Magazine). It is important to train employees on how to detect and respond to ransomware attacks, including how to back up their files regularly, how to quickly and correctly report ransomware infections and what methods cyber attackers use to drop ransomware into secure networks.
Detailed analysis by the team at Kepios shows that there are 4.80 billion social media users around the world in April 2023, equating to 59.9% of the total global population. Furthermore, 50% of social media users keep their profiles open and public (VPN Central), which opens many social media profiles to data scraping. Social media can be a great tool for business, but it can also be a security risk for your digital footprint and identity if not used properly. That is why it is important to train employees on how to use social media safely, including things like not sharing sensitive information, being mindful of who they connect with, and using privacy settings.
Finally, it is important to train employees on the risks associated with the supply chain and third-party vendors. 2023 is set to be a record-breaking year with software supply chain attacks already increasing by 742% between 2019 and 2022 (Sona Type). The challenge is pervasive enough that Gartner predicts by 2025, 45% of organisations will have experienced attacks on their software supply chains. You must make sure vendors and suppliers have adequate security measures and protocols in place and vetting new suppliers before doing business with them – this may include conducting a security induction training program for third party vendors, so they operate at the same security baseline as internal employees.
In addition to these key topics, there are a few other things to keep in mind when developing a security awareness training program. First, it is important to make the training engaging and interactive. This can include things like games, videos, webinars, team activities, simulations, and other interactive elements.
Secondly, it is important to make the training relevant to employees' day-to-day work. This can include things like using real-world examples of security breaches so employees can see tangible ramifications and tailoring the training to different departments, job roles and languages for maximum retention.
Finally, it is important to make the training ongoing, consistently refreshed, and reflective of emerging threats. Security threats are always evolving – cyber criminals do not stand still – so it is important to regularly update your training program to reflect these changes.
In conclusion, basic security awareness training for employees is an essential component of any effective cyber security strategy. By educating your employees on how to protect their identity and information, recognise phishing scams, create strong passwords, detect, and respond to ransomware attacks, use social media safely, and vet suppliers and vendors, you can significantly reduce your organisation's risk of a security breach.
If you would like more information about how The Security Company can help you to create a cyber security training and awareness program or how we can run a behavioural survey to pinpoint lax behaviours and gaps in your security armour ... please contact our Head of Business Development and Sales, Jenny Mandley.
The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51