No matter your company size, industry, or segment, it’s something you’re going to want to invest in, not because you must, but because it’s in the best interest of your organization's risk mitigation.
Awareness Training has become a hot topic, as compliance, legislation and risk management items move higher up the priority sheet within businesses globally. No matter your company size, industry, or segment, it’s something you’re going to want to invest in, not because you must, but because it’s in the best interest of your organization's risk mitigation.
Before we look at how we use awareness training as a tool to enable consequential practices, we’ve got to ask ourselves a few questions before we get to that ‘contentious’, subject:
1. What is awareness training?
a. Awareness training is a precautionary measure companies take to educate and effectively help users understand how certain actions can carry risks and impact privacy and security.
2. Why do I need awareness training?
a. Over the last three to five years (and specifically in the last year), the threat landscape has evolved dramatically. SecOps and IT professionals are finding it increasingly difficult to inform end-users in an engaging manner. Educating employees on dangers is imperative, both in their professional and their personal lives.
3. Where do I start?
a. Well, this isn’t always easy. But only one in ten organization's* continuously train their employees, so simply starting is already a major step in the right direction.
*In 2021, I’m saddened that this is still so low, and since I started specializing in security awareness training three years ago, this stat has remained largely the same, study after study.
4. What do I do with the data I get from the training?
a. This is another point of imperative importance; DO SOMETHING. There is virtually no point in running an awareness training program if there are no clear objectives and no clear items to act upon. Sure, some organizations might do awareness training simply as a tick box exercise to show auditors, but it makes much more sense to have measurable outcomes.
Ok, so now that I’ve got that out the way, let’s dive in.
I recently read a post by someone I hugely respect, Andrew Pritchett, CIO at Grant Thornton Australia, that illustrated the importance of awareness training, BUT, it wasn’t as simple as that. Like with any action, implementing awareness training carries an equal and opposite reaction and we need to stop caring about how training is received within an organization, so we can get on with it, and stop apologizing for it. You’re an adult. You’re employed by a company. This comes with mutual (written) agreements like them paying you on time and you protecting all of the assets they give you access to. Stop making a meal of it.
Now for the fun part.
You (as the administrator) have now answered all four questions above and you’re ready to launch awareness training in your organization. But you’re still unsure what to do in three, six and maybe even twelve months post launch. That’s ok, this stuff isn’t easy. But again, make sure you do something. This does come with its own set of challenges and be prepared to take on more responsibility than what you originally envisioned. BUT, know that the reasons for pursuing it are just. Things can go wrong and maybe administrators don’t always get it right (like here, or here). It’s a bit of a balancing act, as you don’t want to be insensitive, or distasteful but phishing simulations also need to be believable so you can really weed out the cyber aware employees from the risky ones. Because in real life cybercriminals don’t care, and they use EXACLTY these tactics to make you click.
Organizations should 100% ask themselves what the outcomes of awareness training mean for end-user access, privileges, and policy control. As an administrator, if all indicators tell me you, as an employee, are going to click on something, rest assured you’d have a hard time getting onto Facebook at the office. If on the other hand you show that you report phishing emails from your inbox and have an engaged record of taking security awareness training, then of course you’re not going to be (or shouldn’t be) restricted. We need to care less about whether users approve of our awareness training and policies and rather focus on the outcome of why we’re subscribed to an awareness training program in the first place, which is to reduce risk.
Start showing them their risk profiles. Start sharing the reasons why it’s important. Start illustrating why these measures were taken and how they can change, for the better.
Stop apologizing for taking care of your company. Stop apologizing for protecting your end users. Stop apologizing for helping them understand the risks of cyber, not only within their profession but in their personal lives too, and at no cost to them!
Start awareness training. Stop risky behavior.
Σχόλια