Is your business investing enough in security awareness training?

Dec 13, 2016


IT, security



Cyber attacks are already in the news day after day, and some experts forecast an escalation in 2017.

The reason for the predicted increase? Human behavior. A study conducted by the Information Security Media Group, for example, found that 60 percent of the data breaches suffered by organizations in 2016 were caused by social engineering tactics. And, as Jeff Goldman wrote in an eSecurity Planet article, “89 percent of respondents have seen either a steady pace or an increase in spear phishing and other targeted email attacks in the past year — and 69 percent of those attacks target user credentials.”

Just having the best possible security system will not protect data from employees making mistakes. It’s critical for your cybersecurity plan to include a security awareness training plan.

“The purpose of periodic security awareness training (SAT) is to develop essential competencies, new techniques and methods that are so essential in facing possible security issues,” Daniel Brecht wrote in Enterprise Apps Tech. “Investing in SAT can provide some level of maturity in incident response and help protect corporate resources; by adopting an Security Awareness Training Program, a company greatly increases its security-related risk posture.”

IT leaders are taking notice of the need for SAT. Gartner research Vice President Andrew Wells has said that the security awareness training market exceeds $1 billion in annual revenue, and is growing at approximately 13 percent per year.

That’s a start, but many security experts think that there is a need for businesses to invest even more in SAT. According to Douglas Bonderud in Security Intelligence, nearly half of organizational leaders invest in nothing more than the bare minimum SAT, and are not doing a good enough job in ensuring employees get regular training or that the training is updated to address the most recent security threats.

As a result, says Carl Herberger, vice president of security solutions at Radware, hackers have a green light for targeting human error. “More and more, we are seeing hackers leverage socially engineered exploits or spoof passwords to gain access to private information and networks, and yet security training across most organizations is scarce at best, and often does not address important concerns for both private and organizational security,” he said.

However, Herberger also pointed out that while comprehensive security awareness training should be in place in every organization, it should be understood that human training can only go so far in protecting your business from hackers.

“Today’s threats are increasingly automated and bot-driven, necessitating automated and adaptive cyber security,” Herberger explained. “For example, security bots would dramatically improve authentication and Identity and Access Management (IAM), effectively reducing the need for employee created passwords. We’ve reached a tipping point for authentication, and security professionals and organizations are in need of technologies and levels of protection that are not prone to human error and can be easily spoofed or obfuscated by malicious actors.”

This changing threat landscape is why Marie White, president and CEO at Security Mentor, suggested that perhaps we should be re-thinking the approach to SAT.

“It is time to change the discussion from should we be focusing more on security awareness training to how can we implement security awareness training that is effective? To start, we need to focus on education as much as we do security,” she explained.

Her recommendations:

  • Training needs to be relevant, understandable, and fun.
  • Lessons should be short, making them easy to learn.
  • Lessons should be reinforced throughout the year, creating a culture of security.
  • Training should incorporate approaches like gamification, rewarding employees for their achievements, and using friendly competition as a group motivator.

“Employees continue to be the greatest threat to security,” said White. “From ransomware to data breaches, employee mistakes are the most common cause of costly security incidents. Employees always will be making decisions upon which their organization’s security depends.”

Investing in educational security awareness solutions will improve organizational compliance, expand security knowledge and change poor security behaviors.

Post by Sue Poremba

Sue Poremba is a security and technology writer based in central Pennsylvania.