In broad terms, you could think of security awareness training as making sure that individuals understand and follow certain practices to help ensure the security of an organisation. From this perspective, security awareness training has been around practically forever, especially when you consider the need for security in military applications.
Today, security awareness training emphasises information security, and especially cybersecurity. Rapid advances in information technology — and parallel innovations by cybercriminals — mean that employees and other end users need regular, specific training on how to stay safe online and protect their information and that of their employers.
This article is an introduction to security awareness training and its importance: why organisations use it, how it has evolved over the years, and how it helps to reduce the threat of cyberattacks and other security breaches. Finally, we’ll introduce some tools for creating an effective security awareness program.
Why Do Organisations Conduct Security Awareness Training?
Cybersecurity awareness training has a critical role to play in minimising the serious cybersecurity threats posed to end users by phishing attacks and social engineering. Key training topics typically include password management, privacy, email/phishing security, web/internet security, and physical and office security.
There’s also a business case to be made for security awareness training, as explored in the Aberdeen Group’s report, Security Awareness Training: Small Investment, Large Reduction in Risk. The researchers conducted a workshop with enterprise security leaders to find out why they invest in security awareness and training. They found that:
- 91% use security awareness to reduce cybersecurity risk related to user behaviour.
- 64% use it to change user behaviour.
- 61% use it to address regulatory requirements.
- 55% use it to comply with internal policies.
As these statistics suggest, some organizations use security awareness training simply because they must, in order to comply with external or internal requirements. But this training also makes financial sense, according to the report: “an incremental investment in security awareness training results in a median reduction in the annualized risk of phishing attacks of about 50%, and a median annual return on investment of about 5 times.”
The Evolution of Security Awareness Training
While the core concepts of cybersecurity awareness training aren’t new, it has reached mainstream consciousness relatively recently. One indication of its emergence was the 2004 launch of National Cyber Security Awareness Month. The initiative, by the National Cyber Security Alliance and US Department of Homeland Security, was intended to help people stay safer and more secure online, encouraging such practices as the regular updating of antivirus software.
Since then, the annual awareness month has inspired similar events in other countries, expanded its themes and content, and drawn increased participation across industries and government, as well as universities, nonprofits, and the general public.
The focus, methods, and effectiveness of security awareness training have undergone significant changes over the years. Back in 2004, most programs were driven by the need for compliance — simply meeting regulatory requirements. Today, that focus has shifted to seeing cybersecurity awareness training as a means to manage and mitigate organisational risk.
Along the way, training methods themselves have matured. In 2004, the dominant paradigm was for annual presentations, either as in-person training sessions or long-form computer-based training. Unfortunately, these lengthy, infrequent sessions do not result in good knowledge retention. A gradual shift toward short, focused training on individual topics represented an improvement, but these trainings were still presented infrequently, which allows knowledge to dissipate over time.
Around 2014, security awareness training began shifting toward continuous education and improvement, in which a program includes ongoing cycles of assessments and training. The latest developments have been “just-in-time” and in-context training, which adds the ability to launch training in response to an end user exhibiting poor cybersecurity behavior, such as unsafe web browsing.
Tools for Training End Users
Today, infosec professionals use a variety of tools to train end users, as can be seen in our State of the Phish™ Report. The dominant tool — and one that continues to grow in popularity — is computer-based awareness training.
- 79% use computer-based awareness training.
- 68% use phishing simulation exercises.
- 46% use awareness campaigns (videos and posters).
- 45% use in-person security awareness training.
- 38% use monthly notifications or newsletters.
Well-designed training programs often make use of several of these tools. Equally important is to deploy these tools in a systematic, methodical way that allows you to track and measure progress over time.
The way we employ Learning Science Principles was proven to be effective through research performed at Carnegie Mellon University.
Effectiveness of Security Awareness Training
Our own case studies and Results Snapshots have shown persuasive results:
Creating a Security Awareness Training Program
Training employees versus cybersecurity experts takes a unique strategy. Users are not cybersecurity experts, so they need information given to them in an engaging way that helps them visualise and understand phishing.
Your security awareness program should have several features:
- Content: The content should be easily digestible and understandable for a general audience and provide information in an organised way such as chapters and lessons.
- Executive support: Executives are responsible for ensuring users follow procedures, so training material should have content that can be distributed across departments.
- Frequent program updates: The cybersecurity landscape changes, so the program content should also change. Every year content should be reviewed and refreshed to cover the latest threats.
- Testing: Testing users with real-world phishing emails and social engineering scenarios will help them identify threats. The example exercises should mimic real-world attacks.
- Reporting: Integrated with tests, reporting will tell administrators who clicked links and submitted sensitive data. The reports will identify employees who need additional training.
- Surveys: After training, send survey questions to managers, executives, and staff members so that they can provide feedback for improvements.
The way you organise and develop security training will determine its effectiveness. You need a strategy for the way content is written and organised. An example model for development:
- 10% formal: Although it’s corporate training, formal content should be the least sections in your training material. Formal content can be difficult to read or hard to digest, but it can be important for specific facts and examples.
- 20% informal: Informal content such as webinars, videos, and collaborations better engage users. This content should not be a majority of training sources, but it can be more than formal to help users better understand concepts.
- 70% real experience: Content in this section should be customised to fit the organisation's culture and experience. This type of content is usually developed by a third party so that all staff members get the most out of the training.
The content included in training material should be information, but it should also be for people who have never experienced a phishing attack. It should cater to beginners even if you have some people who are much more educated on the subject. It should be engaging enough that users want to dig further into details and learn more. Training is for people to build a skill, and this skill is detecting phishing and social engineering for users who are unaware of the many ways attackers create campaigns against businesses. They can even learn to protect their personal accounts from phishing and social engineering, so users get additional benefits from corporate security training.
Proofpoint offers a full suite of products for your security awareness and training program: from knowledge assessments and phishing simulations to interactive training, powerful reports, and easy-to-use dashboards.
Anti-Phishing Training Suite
Our customers have used our Anti-Phishing Training Suite and our Continuous Training Methodology to reduce successful phishing attacks and malware infections by up to 90%. Make our unique, four-step Assess, Educate, Reinforce, Measure approach the foundation of your phishing awareness training program.
Simulated Phishing Attacks
Quickly and effectively assess how susceptible your employees are to phishing and spear phishing attacks with our ThreatSim® Phishing Simulations. End users who fall for simulated phishing attacks are automatically presented with a Teachable Moment. This “just-in-time” guidance lets users know what they did wrong and offers tips to help them avoid future threats.
Security Awareness Training
We recommend that your security awareness training program include organization-wide phishing education as well as targeted anti-phishing training. Our unique approach and interactive training modules help you deliver effective cybersecurity education in a flexible, on-demand format that minimizes disruption to daily work routines.
PhishAlarm® Email Reporting Tool
Reinforcing best practices is critical to improving retention. Our PhishAlarm® email reporting tool enables end users to report a suspected phishing email with a single mouse click, reinforcing positive behaviors. Our optional PhishAlarm Analyzer email prioritization tool maximizes PhishAlarm’s capabilities and streamlines response and remediation efforts on reported emails.
What Makes Proofpoint Security Awareness Different
Because security awareness training works with the human element in cybersecurity, it’s important for organisations to find a company that can connect with users. Proofpoint’s training is developed to empower employees, vendors, and contractors with the information needed to detect and stop phishing attacks. We differentiate ourselves using a number of factors.
- Proven results. Security training has shown to reduce click rates by up to 50%.
- Real-world examples. Train employees with real-world examples so that they recognise a phishing email more effectively.
- Better compliance. Proofpoint training improves compliance by educating users on proper auditing and record keeping when working with customer data.
- Engaging for users. All lessons and training courses are created to engage users so that they get the most out of their sessions.
FAQs: Security Awareness Training
What Is Security Awareness Training?
Security awareness training is a corporate-wide initiative to help employees identify and avoid cyber-threats in the workplace. It’s a component in effective cybersecurity to stop human errors and insider threats from causing data breaches.
What Are Some Security Awareness Training Best Practices?
Teaching hundreds or thousands of employees with different cybersecurity awareness levels requires a strategic approach. Every organisation has their own methods, but it’s important that security awareness training is an ongoing process and curriculum is reviewed and updated frequently to account for changes in the cybersecurity landscape.
What Is the Main Purpose of Security Awareness Training?
Data breaches are expensive, and employees are primary risks for targeted threats. Training employees to detect threats minimises risk of phishing and ransomware, thus prevents loss of personally identifiable information (PII), intellectual property (IP), revenue, brand reputation, and customer loyalty.
What Are the Benefits of Security Awareness Training?
Empowering employees with security knowledge reduces risk of data breaches, and provides additional benefits. Training employees to identify threats prevents downtime from data breaches, ensures that your organisation stays compliant, and improves customer confidence in your brand.
What Should Security Awareness Training Include?
Security awareness training materials include reading modules, videos, on-hand exercises, and testing to ensure effectiveness. The way an organisation formats a security awareness training program is unique to their user base, but should be freely accessible to anyone.
How Effective Is Security Awareness Training?
Security awareness training is so effective that it’s now a compliance requirement for the EU’s GDPR. Through the years, organisations have seen a sharp decline in data breaches due to better cybersecurity education.
What Are the Most Important Security Awareness Training Topics?
Any security awareness training should cover common topics such as phishing, password protection, safe social media usage, social engineering, physical security, public Wi-Fi safety, and guidance on working remotely. Your organisation should tailor training to cover the biggest threats to your organisation's cybersecurity.
How Much Does Security Awareness Training Cost?
Every organisation has their own cybersecurity strategy and number of employees. Some employees need more training than others. Proofpoint customises training material specifically towards your cybersecurity needs. Contact us for pricing of your own security awareness training. If you’re interested in trying us out, request your free security awareness training trial today!
Security Awareness and Education Platform Key Features and Benefits
Learn about Proofpoint Security Awareness and Education Platform. Understand the benefits and features including real-time reporting, customisable content, and multinational support.
Security Awareness Modules, Videos, and Materials
Proofpoint’s security training for employees can improve knowledge retention, facilitate behaviour and reduce risk. Learn about out our training videos, materials and modules.
Business Intelligence Reporting for Security Awareness Training
Our modern, full-featured reporting makes it easy to benchmark, track, and trend user knowledge; evaluate progress; and gauge security awareness training ROI.