What Is Security Awareness Training and Should You Apply It in Your Workspace?

Research reports suggest that as much as 90% of all data breaches are in one way or another connected to human error. It's difficult to say how accurate this estimation is, but, having covered quite a few cybersecurity incidents so far, we can safely say that in the majority of cases, data gets compromised not because the hackers are too clever, but because the people responsible for securing it haven't done enough. Weak passwords and other configuration mistakes are an everyday occurrence, and companies don't seem to be especially sure how to change this. Once again, pointing out the reasons why solving the problem is proving to be so difficult is far from the easiest thing in the world. Few people are willing to argue, however, that the lack of awareness is not a part of the issue.

Table of Contents

Workers just don’t know enough about the threat landscape

It's easy to blame most cybersecurity mistakes on recklessness, and it's fair to say that a not insignificant number of experts do it frequently. We reckon, however, that more often than not, errors are the result of plain old ignorance.

Users don't protect sensitive accounts with passwords like "P@ssword123!" because they want to see data fall into the wrong hands. They do it because they don't know how easily modern brute-force attacks can crack such passwords.

They put sensitive information in poorly secured servers not because they want to see the company they work for making headlines for all the wrong reasons, but because they are not aware of how quickly cybercriminals can find the vulnerable data.

In short, if people know what sort of danger they're faced with, they will be better prepared to protect themselves from it.

Does your company need a security awareness training program?

It's not a question of if it needs it. It's a question of what type of training it needs. Unfortunately, because no two organizations are the same, answering it is not as straightforward as you might hope. If your employees process most of the data in an offline environment, for example, teaching them about the proper configuration of a server's firewall won't help them a whole lot.

A good security awareness program is dependent on extensive knowledge of the tools and mechanisms your workers do their jobs with. Either you or a hired expert must take every single detail into account if you're really going to improve the security of your organization. This does indeed involve a serious amount of time and (potentially) money, but the benefits of this type of training can vastly outweigh the outlay. Before you get to all this, however, you need to teach your workers some fundamental truths about 21st century security both in the real world and on the internet.

The foundations of security awareness training

An extensive training program customized to fit your company's needs is the best way to improve data security. Before you get to it, however, you need to make sure that everybody is aware of a few universal threats that need to be considered both at home and in the office. We'll now take a look at them, and we'll hopefully help your workers stay safer.

Poor password hygiene

credential stuffing

password spraying

Cyclonis Password Manager

- Phishing attacks

Phishing is arguably the simplest cyberattack out there. For one, in most cases, it utilizes the oldest, most well-known method for online communication (email), and although the confidence tricks the crooks employ are often very clever, the technical work that goes into setting the scam machine into motion is not that much. These, believe it or not, are precisely the reasons why phishing attacks tend to be so effective. Sending vast numbers of emails is cheap, and coming up with a trick that will fool users into clicking the wrong link or opening the wrong file is not very difficult at all. If your workers are aware of this, they will be more likely to use the tools they have at their disposal to protect themselves.

- Lack of two-factor authentication

By enabling two-factor authentication (or 2FA), you're putting another obstacle in the hackers' way. It means that if they want to get into your account, they will need not only your username and password but also access to your email, your phone, or a physical token you have. These act as the second factor which limits the likelihood of unauthorized access.

2FA is not failproof. Far from it, in fact, but it is still the easiest way of adding another layer of security, and your workers should definitely use it whenever possible.

- Outdated and vulnerable software

Once again, theoretically explaining the dangers old software poses is unlikely to get any real traction with your workers. By contrast, if you show them how users continue to get their PCs infected with malware because of a security vulnerability that should have been patched two years ago, they are more likely to listen. The timely installation of all security patches can save a lot of headaches both for individual users and for entire organizations. Admittedly, this can sometimes cause problems, especially if the software in use is more complex, but it can be no excuse for leaving systems vulnerable. After all, a potential data breach can not only compromise people's information; it can also massively damage an organization's reputation.

- The security of personal devices

You could argue that this is more a matter of policy than it is of training, but nevertheless, in the days of the BYOD (Bring Your Own Device) culture, we can't ignore it. Researchers have been monitoring the trends, and they have come to the conclusion that workers do indeed tend to feel more comfortable when they work on their own phones, laptops, or tablets. The experts have also concluded, however, that many people don't do enough to protect their data because they think that they have nothing to lose. If you're going to let your employees use their personal devices for work-related tasks, you need to ensure that they are perfectly aware of how high the stakes are. You also need to enforce rules on what can and what can't be performed from a personal device, and you might want to think about investing in a strong Identity Access Management (IAM) system.

- Physical security

If your employees do most of their work with the help of computers or other electronic devices, you might think that this item is not particularly important. This is not quite the case, though. Of course, access to the building and the office your company operates in must be monitored closely, but there are other, less obvious factors that need to be considered.

Last year, for example, the Hawaiian Emergency Management Agency made headlines after a journalist accidentally photographed a post-it note that had a password written on it. Even when the data is in digital format, it can still be compromised in the physical world. In 2017, a Heathrow employee lost a USB stick that contained "sensitive personal data". The flash drive was eventually found and returned, but the UK's largest airport ended up paying a fine of around ₤120 thousand (about $150 thousand at the current exchange rate).

There are many other examples of data getting compromised in the real world which is why it's important to teach your employees that the security of the information that you put on a portable storage device is just as important as the security of the data you upload online.

The rest of the training program should be aimed at making company-specific tasks more secure, and once again, it should be more focused on real-world examples rather than theoretical knowledge. Before you can get to that, however, you'll need to lay the foundations, and we reckon that the list you see above is a good start. The great thing about it is, if your workers know what they're up against, they are more likely to set their own rules and limits and stick to them. This, in turn, makes your job a whole lot easier.

By Duran

July 11, 2019

Password Security