7 research-backed tips to improve your security awareness training
Category: Best practices, Security awareness
December 1, 2019
We love talking to clients and security practitioners about exactly what’s working at the ground level of their security awareness programs. However, sometimes it’s helpful to take a step back and look at the security awareness space from a research data perspective.
That’s why we were so eager to host a webinar with Michael Osterman from Osterman Research to discuss not only the data from his latest security awareness research, but also seven best practices to act on the findings. Here’s what we learned.
All data and images were provided courtesy of Osterman Research’s downloadable report Best Practices for Implementing Security Awareness Training.
1. Be flexible to your corporate culture
Enthusiasm and support levels vary not only from company to company, but even within companies in different departments and management levels.
Instead of forcing security training based on what you think is most effective, work with senior management and employees alike to develop a strategy that blends your security awareness program with your existing corporate culture.
Views on security training
2. Make sure training covers everything relevant to your organization
68% of security practitioners rank data breaches, phishing attacks and CEO fraud attacks major concerns. It’s easy to assume your employees share your security concerns, but it’s much more likely that under-trained employees lack both the ability to spot security threats and a true understanding of attack consequences. A breach only takes one oversight, so remember to focus not only on your greatest threats, but also to train for all possibilities.
3. Schedule phishing simulations at random intervals
Only 5% of security practitioners report phishing and spearphishing as a decreasing threat at their organization. Whether you’re trying to decrease your phishing rate or maintain your workforce’s phishing defenses, your phishing simulation tactics are extremely important. Think strategically about simulation effectiveness over quantity of phishing simulations alone. Schedule phishing simulations in random intervals to eliminate your employees’ ability to predict your phishing email cadence and track behavioral change over time.
4. Training frequency is key
If you want security awareness best practices to stick, you need to keep security top of mind. The question is: what is the right training frequency and how should training be delivered? Although there is no magic number, shorter bursts of training distributed more frequently are most effective. By layering training exercises with ongoing phishing simulations and event-activated learning to link training to real events, you can automatically deliver training at the most effective frequency.
Security awareness training frequency
5. Tailor training to the right groups
The most effective security awareness programs deliver the right training, to the right people, at the right time. This means delivering training tailored to your company’s industry and your employees’ roles, as well as triggering relevant training in the most teachable moments. Despite its effectiveness, only 27% of security practitioners report using a human firewall approach to run a complete security awareness program. When building or improving your security awareness program, start with tailored training for the most immediate impact and continue to integrate training exercises into the day-to-day workflow of employees. This will build security into the fabric of your company and drive real behavioral change.
6. Focus on behavioral change
On average, security professionals see technical infrastructure as a more useful tool for stopping security incidents than security awareness training. While security awareness training shouldn’t replace technical controls, it’s important to remember they work hand-in-hand, not independently. Physical infrastructure is great at preventing attacks until a phishing email hits an employee’s inbox or a targeted attack goes undetected. It’s important to look at security training in terms of the behavioral change it drives rather than a compliance requirement or philosophical pursuit. Not only is behavioral change the ultimate end-goal of your training, but it’s also measurable. Focus on phishing rates, number of employee-reported emails and events blocked by endpoint protection to back your security awareness program with data.
Security training vs physical infrastructure
7. Don’t punish mistakes
On average, security professionals report relatively low confidence in their employees’ and senior executives’ ability to properly handle phishing and spearphishing attempts. Having limited confidence in employees’ ability to handle security threats makes it even more important to treat security incidents as learning opportunities rather than fuel for punishment. Punishing clicks on phishing links can drive fear and even promote shame or secrecy around security incidents rather than encouraging information sharing and security awareness.
Security professionals’ confidence in users’ abilities
Improve your security awareness training with Infosec IQ
Infosec IQ provides phishing simulation and security awareness training in one automated platform to engage and motivate all learners to care about security, improve their personal security defenses and report suspicious activity. With library of 1o00+ realistic phishing simulations and more than 700 training modules, assessments and support resources, Infosec IQ can not only help you implement Osterman’s seven research-backed tips, but also help you build and measure your entire security awareness program.