The need for security awareness training
9 of 10 security breaches are caused by human error.
Our own mistakes. On the bright side, that means most breaches are preventable. Even so, most companies have not developed an adequate security awareness training program to teach their team to avoid common pitfalls that lead to breaches.
The fact is, people often cut corners and skip key security steps simply because they are busy. They prioritize efficiency and speed over security. They may get distracted when performing seemingly mundane tasks that really deserve their full attention. And they may develop poor security habits in general because they do not fully grasp the potential consequences of their carelessness.
Security awareness training works
A little training can help. Research by Cyberpilot found that after continuous security awareness training and phishing testing, users had a 50% reduction in mistakes made during a simulated phishing attack.
It’s clear that when people are aware of privacy risks and the dangers that cybercriminals pose, they are more careful. Security awareness training works, and your company needs it.
But what should your security awareness training consist of? What topics should you cover, and how often? Let’s take a look at some security awareness training basics.
What is security awareness training?
A good security awareness program should help you develop a privacy and security-first culture. It should motivate your people to protect your company’s systems, your customers, each other —and everyone’s data. In practice, it should train your team to:
- Care about people’s privacy
- Recognize security threats
- Understand the stakes involved
- Take action to minimize risk
It should include your whole organization from top to bottom, be continuous and engaging, and make use of a variety of topics and quality educational materials.
Here are some examples of clever security awareness posters from Cyberpilot:
Required data protection training
Under Article 43, the GDPR requires you to provide “the appropriate data protection training to personnel having permanent or regular access to personal data.”
It does not give specifics on how you should train personnel, how often, or list the topics that you should cover. Each company should choose or set up an “appropriate” training program.
Notice that training is required for personnel having “permanent or regular access to personal data”. The broad definition of personal data under GDPR makes this apply to most of your staff. But not everyone’s access to personal data is or should be the same. Doing a data inventory can help you figure out who has access to what and tailor your training program appropriately.
Topics for security awareness training
Here are some of the topics we suggest you cover in your security and awareness training program:
- Password selection and management
- Recognizing personal data
- Phishing variations and how to spot them
- Understanding Privacy Rights
- GDPR principles and compliance
- Caring for sensitive data
- How to practice data minimization
- Email security mistakes
- Using shared wifi and VPNs
- Software updates and security
- Keeping work devices safe
- Remote workplace security
If you were to focus on just one of these topics each month, this would be enough information to keep your privacy and security awareness training going for a whole year!
Some companies schedule a security awareness day and try to hit as many of these topics if possible. This can become quite a grueling day.
If you cover too much information at once, it will be difficult for people to concentrate and remember what they’ve learned. And it will be almost impossible for you to track and measure improvements.
How to set up your security awareness program
Each of the topics mentioned above is too important to cram them all together into one long, dull seminar.
Rather, we suggest a program that schedules very brief, but regular sessions based on each of these topics. The emphasis should be on helping people see their importance, the stakes involved, and then how to improve their practices.
Let’s look at some simple outlines for a few topics to get you started.
Security awareness training for GDPR compliance
Make sure you set up clear GDPR policies your team can follow and stick with them. Tell who they can reach out to if they have questions about GDPR rules and personal information.
GDPR awareness training should let your people know:
- Who to go to with GDPR questions
- What your process is for DSARs
- Who to report to in case of a data breach
- What we can learn from GDPR principles
- How GDPR fines are calculated and how to reduce risk and liability
Password management training
An awareness training session on password management can include information on:
- Common and weak passwords and password patterns to avoid
- How hackers exploit weak passwords
- How to create strong, unique passwords and remember them
- When to change passwords
Phishing awareness training
An awareness training session on password management can include:
- Phishing examples and variations
- How to recognize a phishing email
- Phishing simulations
Personal data awareness training
Personal data awareness training sessions can include:
- How to spot personal data
- How to spot sensitive data
- How to view people’s personal data
- How long to keep personal data
Outsourcing security awareness training
For most of us, using our own time to plan, design and implement an engaging security awareness program isn’t practical. Not only would it be too time-consuming to create your own educational materials and resources, but you would also have to do a ton of research to update your information regularly, as security threats are constantly changing.
For this reason, some companies choose to send a few of their employees to a security awareness seminar, hoping they will absorb the information and educate the rest of the team.
This isn’t very effective, for a couple of reasons.
- As mentioned above, regular continuous education has been shown to be superior to trying to pack everything into one day.
- Getting everyone involved gets better results than counting on just a few people to pass on what they manage to remember from a quick, intensive seminar.
The goal should be to create a company-wide culture of security and privacy. This means everyone should participate. The frequency and style of your security awareness training should make security and privacy the default for your organization.
The benefits of online security awareness training
Signing your company up for an online security awareness course can be the best and most cost-effective way to make continuous security awareness training a reality.
Cyberpilot has created a complete series of e-learning courses + phishing simulations that make security awareness training simple. The courses are filled with videos and infographics to help people understand and remember the material. Users see their progress as they move through each course, and get a test at the end.
We also love the free resources on their site, like the free poster downloads. Take this one, for example, with a simple lesson about why it’s so important to protect personal data:
We couldn’t agree more. It’s an apt comparison to help people to see the importance of taking care of people’s data. And this poster is a great example of what makes a great security awareness program:
- Make it personal
- Make it brief and clear
- Make it easy to remember
If the content of your awareness training program meets these three requirements, it will stick with your team and truly shape the way they handle security and privacy.
But making your training program truly continuous and consistent is still more of a challenge.
Need some help?