Security awareness training

Issue 2/3 2023 Training & Education, Security Services & Risk Management

Tyrone Meyer.

Most organisations don’t have a lot of time to make an impact with their security awareness programmes, but are faced with compliance obligations that must be met. It is critically important to have a security awareness solution that uses the limited time available to train effectively, and one that provides targeted education that is relevant to users. This latter must be based on the knowledge gaps they have and the topics that they need to learn about now.

Currently there are two issues facing us today:

• How to keep users engaged?

• How to account for an education programme that factors in your globalised audience?

Ultimately, the goal of any security awareness programme is to drive behavioural change and drive actual security outcomes. It’s true to say that your company is only as strong as your weakest user, but what does this mean? Basically, you want to see fewer people clicking on malicious links, not only in simulated phishing tests, but in real-world attacks. However, if users mess up, you want them to learn from their mistakes. Without follow-up education users will continue to make the same mistakes in the future.

You want to work for a situation where more employees report suspicious emails, proactively helping you to keep your organisation safe. Data from the SOTP Report shows that a little over a third of organisations currently educate employees about best practices for reporting. If users don’t know what to do when they get a malicious email, how will they know how to act appropriately? What you don’t want is users reporting on random spams or low-risk emails. You want end-users to know what a potential threat looks like and report on high-risk emails, and know how to tell the difference.

To help customers build a strong culture and shape existing behaviours, values and beliefs towards it, you need to organise a solution into three key steps – an ACE Framework – Assess, Change Behaviour and Evaluation.

Assess: The first step is to assess current culture, knowledge and skills to help establish the baseline and understand where the gaps are and what users believe. This helps inform a programme focus and aids with evaluations. Customers can do this using a variety of tools like knowledge and culture assessments.

Change Behaviour: The second step is to help customers execute on their behavioural change programme. This consists of three key components: automation, adaptive learning and the reinforcement of that learning.

• Automation is very important: security teams can get inundated with user reporting of suspicious messages and threats. It is necessary to provide a way to automate remediation of threats. This approach saves time and resources.

• We also know that one size does not fit all, and this couldn’t be truer for training. An adaptive framework makes it easy to deliver continuous learning throughout the year, adjusting the style of learning and the size so that it fits easily into people’s daily schedule. This helps them move along a path that increases skills level over time across key security domains, and based on role. Think targeted education that’s geared right to where users need to be learning at any given time.

• Reinforcement is also key to combatting the forgetting curve. Using existing tools like threat guided training and email warning tags (providing contextual nudges) are some examples, as well as teachable moments, videos, and more.

• Evaluate: you want to be able to evaluate your programme regularly and make changes as needed, to get results.

Above all, remember, this is a cycle, not a linear process. It is constantly restarting and improving.

Now that we’ve covered the stages of the ACE framework, it’s necessary to take a holistic approach to security awareness education. You need to use a threat-driven content informed by threat intelligence to drive educational modules and help users be prepared to face threats in the wild. A tailored education is not only based on users’ roles and knowledge gaps but is also informed by user vulnerabilities, which must be captured using threat intelligence.

Threat detection capabilities also automatically analyse user-reported messages for fast, time-saving detection. You need visibility to help you communicate the impact of your programme to your leadership team, and to help inform future changes you are considering for your security awareness.

These components come together to help save you time, resources, and enhance the administrator experience – which helps you expand and scale your growing business.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Understanding the power of digital identity
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
The way we perceive business flourishing is undergoing a paradigm shift, as digital identity and consumer consent redefine the dynamics of transactions, says Shanaaz Trethewey.

What you can expect from digital identity in 2024
Access Control & Identity Management Security Services & Risk Management
As biometric identity becomes a central tenet in secure access to finance, government, telecommunications, healthcare services and more, 2024 is expected to be a year where biometrics evolve and important regulatory conversations occur.

Tech developments lead hologram growth in 2024
News & Events Security Services & Risk Management
Micro-lenses, micro-mirrors and plasmonics are among the rapidly-emerging optical devices that have evolved on the back of holographic and diffractive technologies, and are seen as part of the natural evolution of optical science by R&D teams.

Are you leaving money on the table?
Editor's Choice Security Services & Risk Management
How many customers have you helped since starting your business? Where does most of your new business come from? If the answer is not from your database’s existing customers, you might have a problem.

Mastering security awareness in the digital era
Risk Management & Resilience Training & Education
Human error and lack of security awareness remain the first security threat. Companies must consider the importance of managing employee cyber risk and the significance of training and awareness programmes.

Preparing young entrepreneurs
News & Events Training & Education
Liquid Intelligent Technologies SA recently announced that its Youth Empowerment Programme is successfully preparing young South Africans with the skills they need to succeed in a digital future.

Kidnapping for ransom
News & Events Security Services & Risk Management Risk Management & Resilience
There has been an 8,6% increase in reported kidnapping cases in South Africa compared to last year, with 3 854 cases reported between April and June this year, leaving ordinary South Africans increasingly vulnerable.

Free South Africa Market Report webinar from TAPA EMEA
Technews Publishing Editor's Choice News & Events Transport (Industry) Training & Education Logistics (Industry)
October 2023 offers TAPA EMEA members and non-members opportunities to increase their knowledge of cargo crime and supply chain security risks in three countries in Europe, the Middle East & Africa region, where supply chains are most targeted by both organised crime groups and other offenders.

The difference between a SOP and a SOP
Residential Estate (Industry) Integrated Solutions Security Services & Risk Management Risk Management & Resilience
SOPs are a touchy issue that need careful attention and automation to ensure they deliver the desired security results. Beyond design and automation, implementation is the ultimate road to success.

Your face is the key
Suprema Editor's Choice Access Control & Identity Management Security Services & Risk Management Risk Management & Resilience
FaceStation 2, Suprema’s newest facial authentication terminal, is an access control, time and attendance terminal, featuring a better user experience with Android 5.0 Lollipop and Suprema’s latest algorithm, hardware, and software.