What is Security Awareness Training?

Employees are part of an organization’s attack surface, and ensuring they have the know-how to defend themselves and the organization against threats is a critical part of a healthy security program. If an organization needs to comply with different government and industry regulations, such as FISMA, PCI, HIPAA or Sarbanes-Oxley, it must provide security awareness training to employees to meet regulatory requirements.

Many attacks are stopped by firewalls and anti-virus, but somehow scammers keep getting past these and other defenses. As frustrating as it is to see expensive, enterprise-grade security solutions fail to completely protect a company’s data and its workers, technology is not entirely at fault. A 2017 survey revealed that nearly a third  of employees don’t know what phishing is. To make matters worse, ransomware is an unknown concept to nearly two-thirds of workers

Types of Training

Every organization will have a style of training that’s more compatible with its culture. There are many options, including:

Classroom training

This allows instructors to see whether learners are engaged throughout the process and adjust accordingly. It also allows participants to ask questions in real time.

Online training

This scales much better than in-person training, and it will likely be less disruptive to employee productivity since learners can work through the content from any location at their own convenience. This can also allow learners to work through the material at their own pace.

Visual aids

Posters in the break room cannot be a lone source of security awareness training, but when done effectively, they can serve as helpful reminders.

Phishing campaigns

Nothing captures an learner’s attention quite like the realization that they’ve fallen for a phish. Of course, learners who fail the phishing test should be automatically enrolled in further training.

In some cases, a combination of these may be the best option. Security awareness training is not a one-and-done exercise. Regular security training through multiple media is ideal, especially if the organization has high turnover rates.