Employees are a critical part of an organization’s defense against many IT security threats. Just as having the correct technology solutions is important, training personnel to recognize security threats is a critical part of any security strategy. As part of that strategy, organizations must consider both the content and the training methods. Training that does not engage employees or provide for continuous learning and reinforcement is not sufficient to truly make employees more security aware.
“Security Awareness Programs” Have a lot to Learn
A recently changing trend, and an encouraging sign, is that many companies are recognizing the critical need for employee security awareness. In 2014, EMA conducted a security research study that showed only 44% of respondents had security training from a current or previous employer. When the research was conducted again in 2015, 59% of respondents indicated they had received some form of security awareness training.
Not only are more employees being trained, but they are receiving more training. In a 2014 study, only 15% of respondents received five or more hours of security training. In 2015, that number jumped to 23%. This is also true with the periodicity of training. In 2014 only 2% of respondents indicated they had received training post incident, while in 2015 respondents who received training grew to 65%.
In 2014 only 2% of respondents indicated they had received training post incident, while in 2015 respondents who received training grew to 65%.
What Constitutes Effective Security Awareness Training?
Interactive training methods are known to be far more effective at not only engaging attendees, but improving retention of content. These include programs that present employees with realistic content, security scenarios, and even simulated phishing attacks. These methods are also more continuous in nature. Rather than going to a lecture and forgetting it a week later, continuous training can be directed to present employees with shorter bursts of training at multiple points throughout the year.
Interactive training methods are known to be far more effective at not only engaging attendees, but improving retention of content.
Of course, the final piece to effective training is measuring success. Unfortunately, many security training programs still measure effectiveness through attendance. However, attendance cannot measure the most important factors, like how much an employee is actually retaining and changes in behavior that ultimately identify how much less likely they are to fall victim to an attack.
Research proved that effective security training is a must. Certain methods are simply more effective than others, but what strategies are companies currently employing?
Security firm, KnowBe4, helps categorized training strategies into five approaches:
- The Do Nothing Approach – We do not really provide security awareness
- The Break Room Approach – We gather employees for a lunch or special meeting and tell them what to avoid when surfing the Web, in emails from unknown sources,
- The Monthly Security Video Approach – We have employees view short security awareness training videos to learn how to keep the network and organization safe and
- The Phishing Test Approach – We preselect certain employees, send them a simulated phishing attack, and see if they fall prey to the phishing
- The Human Firewall Approach – We test everyone in the organization find the percentage of employees who are prone to phishing attacks and then train everyone on major attack vectors, sending simulated phishing attacks on a regular
Forty-one percent of organizations are still doing nothing about security training. Of the companies that are providing security awareness training, almost 60% are using less effective methods such as the Break Room Approach (23%) and the Monthly Security Video Approach (36%). Thus, fully two- thirds of companies are using training methods that are less than ideal, and do not necessarily result in security awareness.
These numbers demonstrate that despite the training program improvements, there is still significant room for growth in the more interactive, and thus more effective, methods. The Phishing Test Approach, which creates a simulated phishing attack, was employed by just 14% of companies. The Human Firewall Approach, which should really be the goal of a mature awareness program, was used in only 20% of companies that participated.
These results are surprisingly consistent across companies of all sizes and with a variety of employee roles. The results are also fairly consistent across industries. However, education shows a particular lack of more robust training, with no respondents indicating they use the Human Firewall Approach, and just 12% using simulated phishing options. Retail and wholesale organizations also seem to rely heavily on the Break Room Approach (33%) and Monthly Videos (44%) at the expense of more interactive training methods.
Some reports on the mis-reporting of enterprise spend for security awareness training has been topical of late. One report in particular from Bromium inflates numbers and expectations. This article, again by KnowB4, chooses to point out inconsistencies in their findings and how the auditing of information was done to skew numbers. It is imperative that, as a business owner, you are able to make business decisions based on real data.