In a previous post, we discussed not only the prevalence of phishing attacks, but the email subject lines and social media attack simulations that were most effective at getting users to click. No security solution or IT team can detect and block every phishing attack or manage shadow IT apps and services, which is why security awareness training is critical to helping users recognize and avoid these attacks.
However, security awareness training isn’t just about specific threats. It should be part of your organization’s overarching security strategy. Security is about people, processes and technology, and people are often the weakest link. It’s easy to scapegoat the user for ignoring seemingly obvious warning signs of an attack, clicking malicious links and opening malicious files. But the real source of the problem is often the organization that hasn’t built a cybersecurity culture and properly trained its employees.
The SANS Institute defines the success of a training program using the Security Awareness Maturity Model. This model is built on five stages, each indicating an increasing level of maturity:
- Non-Existent: There is no security awareness training program.
- Compliance Focused: The program is typically an annual event designed to satisfy compliance requirements.
- Promoting Awareness and Behavior Change: Ongoing training focuses on topics that have the greatest impact and is intended to motivate users to actively follow organizational policies.
- Long-Term Sustainment and Culture Change: The program has the processes, resources and leadership support to remain sustainable and make security part of the company culture.
- Robust Metrics Framework: Progress is tracked and impact is measured, allowing the program to be continuously improved and deliver ROI.
The 2019 SANS Security Awareness Report shows a decrease in the two least mature stages, and an increase of about 5 percent in the two most mature stages. This shows steady progress in security awareness program maturity during the past three years.
However, organizations often experience resistance to their programs from operations and financial teams. Security awareness training programs aren’t free, and costs need to be justified. Training can also eat into the employee’s day, so organizations should involve operations in the planning of these programs. Other obstacles to security awareness training success include a lack of consistent training to keep information fresh in employees’ minds, as well as a lack of rigorous testing to ensure employees have absorbed and can apply what they’ve learned.
The most important success factor, however, is senior leadership support. When upper management supports the program, it tends to become a priority across the organization and receive the necessary financial resources. Awareness training investments by peer organizations has proven to be an effective trigger of leadership support.
To help organizations cultivate a cybersecurity culture, Verteks offers the KnowBe4 program. KnowBe4 is an integrated platform that uses the world’s largest library of training content, automated training campaigns, simulated phishing attacks, and advanced reporting to train employees and show ROI. Let us help you implement KnowBe4 so you can develop a successful security awareness training program that enables employees to recognize, report and reduce the risk of phishing attacks.
