on the radar blog

on the radar

The latest on cybersecurity threats and trends you need to know about

Security Awareness TrainingSeptember 5, 2018

The State of Security Awareness: Reviewing the Top Training Trends

Avow-State of Security Awareness

According to a 2018 survey of technology executives, 52% of respondents reported that their company utilizes some sort of employee security awareness training.  But what is the nature of today’s awareness programs, and are they effectively safeguarding against evolving cyber threats?

While security awareness training is becoming more prevalent for SMBs, it is necessary to take a step back and examine not just the quantity, but the quality of today’s training programs. That’s why we’re evaluating common security awareness trends to uncover the features and factors that contribute to a successful program, as well as those that detract from training effectiveness.

TOP TRENDS IN SUCCESSFUL SECURITY AWARENESS TRAINING

One of the most promising security awareness training trends is the recent emphasis on anti-phishing tactics. Gartner recently listed active anti-phishing as one of their Top 10 Security Projects for 2018, emphasizing the need to educate the end users who are on the front lines when it comes to recognizing and reporting phishing scams. From spear phishing to social engineering to other types of spam, training programs that dig into the nuances of phishing vectors are doing employees—and businesses—a favor.

The most effective programs, however, go beyond training employees on anti-phishing protocols to actually replicate a real-life attack. This brings us to our next top training trend: cyber threat simulation. In order to fully prepare employees for sophisticated phishing scams, many robust programs are now deploying fake email messages designed to fool unsuspecting employees and heighten their everyday awareness of phishing attacks. Recent research on the subject of cognitive modeling supports these efforts, suggesting that cybersecurity simulations, particularly those involving social engineering methods, can contribute to fewer incidents.

Finally, successful security awareness training programs are also embracing the ever-changing nature of cybersecurity. Experts are increasingly recommending that businesses leverage up-to-date, real-world examples of hacking in their training programs—like WannaCry or attacks on prominent retailers—which not only keeps training modules in touch with the current cyber threat landscape, but also emphasizes to employees that their ongoing security efforts are a valuable and necessary tool to protect the business from a variety of emerging threats.

AREAS FOR IMPROVEMENT

While the training trends above should be emulated, there are a variety of less effective, yet no less popular, training tendencies that SMBs should strive to avoid. For example, consider the medium by which security awareness training is delivered. Many SMBs rely on classroom-style instruction sessions led by members of their IT team. While this meeting-like environment does ensure that all employees are physically in attendance, it does not ensure that they are actively engaged in learning. Digitally-based programs, on the other hand, give employees hands-on experience through interactive online modules that keep them engaged and teach them how to apply their learnings in the types of digital environments where they will ultimately be used.

In addition to improving engagement, SMBs should also strive to improve training frequency. Too many businesses rely on intermittent training sessions that are provided less than once per year. Furthermore, only 45% of surveyed security professionals stated that their organizations actually made training mandatory, meaning that not every employee even attends these infrequent sessions. Instead, SMBs should create a constant culture of security awareness by holding training that is consistent, mandatory, and programmatic, as well as keeping tactics top-of-mind by sending regular email updates and tips between sessions.

Finally, and perhaps most importantly, security awareness training is often too generic to benefit employees. 43% report that their program is structured as one basic course for all employees, and only 11% say that their organization customizes the curriculum based on the needs of employees at high risk for targeting. One-size-fits-all training may be simpler to deliver, but it does not provide effective protection against threats—instead, SMBs should work to engage all employees around the security news, topics, and tactics that pique their interest and affect the work that they do on a daily basis.

Register for Avow’s Webinar to See Where Security Awareness is Going Next

As SMBs increasingly recognize that employees are their last line of defense against malicious cyberattacks, robust security awareness training will take its rightful place as an integral element of any successful cybersecurity strategy.

Join Avow on September 26 for a live webinar, Protecting Your Business from the Inside Out, to learn more of the key components of effective security awareness training, the latest attacks preying on the “human factor,” and how to construct a mature training program that will hold up as the threat landscape changes.