Levi, Ray & Shoup, Inc.

Training users in security awareness

10/15/2020 by Chris Hill

By Chris Hill

October is National Cybersecurity Awareness month, so I have a question: When was the last time you changed your password?

Last year a study discovered that nearly half of all users had not changed their password in five years. FIVE YEARS!

Not only that, but nearly three-quarters of users use the same password on multiple sites.

Those two human behaviors can present serious security challenges, but luckily there is a way that’s proven to change human behaviors: training.

Security Awareness Training is the process of providing formal cybersecurity education to your workforce about a variety of information security threats and your company’s policies and procedures for addressing them.

Unfortunately, Security Awareness Training is often overlooked because management chooses not to offer it and users choose not to participate. Some reasons that this happens include budget, the maturity of the security program, and just lack of interest. In some cases, organizations just overlook the importance and effectiveness of a good training program.

The training is vital, though, because every user who is on your network is part of the security posture and, like your IT staff, users must also be aware of threats that could lead to a security event.

Attackers are human and by nature all humans prefer the path of least resistance, and in the eyes of the attacker phishing is that path and your users are the target. With automation and other tools, attackers can flood multiple organizations with the multiple messages all with the same intent, getting your information. Phishing campaigns such as this are trying to exploit your users’ credential, install malware or even worse ransomware. If your users are not properly trained and prepared to identify these campaigns your organization worst day could start with a “click”.

As I wrote on this blog back in March, security training can dramatically improve your organizations chance to survive these attacks by educating your users on what to look for or who to contact in the event of receiving a malicious message.

Along with training users against phishing, Security Awareness Training programs can and should focus on your organization’s security posture. Keeping the content fresh and targeted to your audience with be the best way to ensure success. Also be sure to tailor the program to the groups in your organization; talking about security in healthcare isn’t effective in training your logistics team.

Now, how do you get users to attend training and, more importantly, follow security guidelines? One way is to simply mandate compliance by including training in each employee’s performance standards. Another way is to track training attendance and follow up with users who fail to attend.

If you prefer a less authoritarian approach, you could always add some gamification. Reward users who attend training and also report malicious activity. The reward can be monetary like Sonic gift cards, because who doesn’t like a free Sonic gift card!

The Security team at LRS IT Solutions can help you with your Security Awareness Training program and other security issues. Just fill out the form below for a free consultation.

About the author

Chris Hill serves as our Security Practice Leader. Chris has more than 24 years of business and professional experience in IT and holds a Bachelor of Science degree in Electrical and Electronics Engineering.