The scope of cyber security awareness training continues to increase.
While the below list of topics to include in awareness training is far from exhaustive, each should be a foundational pillar of security awareness campaigns. Building campaigns around the below can decrease the risk of cyber attack – especially when campaigns account for the ABC of cyber security.
Resource challenges and environmental contexts often force those in security to decide which method or methods to include in awareness campaigns – and in which quantities each should be employed.
In this post, we consider the four different types of security awareness training in turn, the pros and cons of each, and an alternative, increasingly favoured approach.
1. Am I really a target?
Most cyber security awareness training begins by talking about security threats. It seems logical. But doing so may be a mistake – because of the human bias for optimism.
As people, we tend to harbour an inherent bias for optimism. Most of the time, it’s a helpful trait. When it comes to cyber security, though, our inherent bias for optimism means most of us struggle to imagine ever really being victims of cybercrime.
A good cyber security awareness campaign needs to address this upfront – because discussing threats is largely pointless unless message recipients believe the threats to be relevant and applicable to them. Cyber security awareness training should therefore begin by overcoming a key reservation to taking training seriously. It should begin by discussing why those taking the training are indeed targets.
2. Preventing identity theft
Identity theft remains the most prevalent form of cybercrime. As such, preventing identity theft is key to any good cyber security awareness training campaign. As well as information on preventing identity theft, cover the warning signs and the dangers of oversharing on social media.
It may also be worth demonstrating how simple it now is to steal an identity. Such demonstrations help make training emotional, and behaviour change research shows emotions have an unrivalled ability to change the way people behave. Demonstrating how simple it now is to steal an identity can therefore change not just security awareness but security behaviours, too – which should be a key aim of any security awareness training campaign.
3. Passphrases and multi-factor authentication
Today, what constitutes a secure password is becoming increasingly clear. And yet, according to the password manager SplashData, 123456 is the most common password in use today.
Including information on passphrases – ie, secure passwords that are easy to remember – as well as teaching users how to create and remember them, is essential in any cyber security awareness training campaign. Be sure to include information on multi-factor authentication and build in time for people to update old passwords during training.
Increasing security awareness is one thing – but changing security behaviours should be the real aim.
4. Public Wi-Fi
The ongoing rise of remote working coupled with an increase in the prevalence of unsecured public Wi-Fi, make training on public Wi-Fi essential.
It’s definitely worth including stories to highlight the personal and professional risks presented by unsecured Wi-Fi. Stories such as that of Howard Mollett, who reportedly lost £67,000 in a conveyancing scam, are unlikely to be forgotten.
However, to really drive training content home, consider demonstrating the additional personal benefits that come from using VPN, such as how to stream your favourite Netflix shows no matter where you are in the world!
5. Social engineering, including phishing and SMShing
The UK government’s 2018 cyber security breaches survey recently polled UK businesses on their experience of breaches. 75% of those that had suffered a breach had done so following “Fraudulent emails or being directed to fraudulent websites” – ie social engineering and/or some form of phishing. Cyber security awareness training should therefore give special focus to both phishing and social engineering as a whole.
It’s worth thinking about how social engineering training is delivered, too. Many companies today highlight the dangers of social engineering through simulated attacks, which test people’s response to attacks “live” in the workplace. Such attacks are backed by behavioural change theory: as well as being emotionally engaging, they help modify people’s schema. Put simply, they train people to expect attacks and, as such, help modify how people respond to genuine day-to-day threats.
6. Browsing securely
The green padlock no longer marks websites as safe to use – a fact few people outside of security actually know. Few people still have configured their browsers to avoid tracking or form auto-filling. Advice on browsing securely is therefore essential to any security awareness training programme.
Given behavioural change as an overall aim, it’s worthwhile going through step-by-step guides on browser configuration.
7. Device security
As with passphrase management, device security is an area which most are familiar with. Most people know the importance of antivirus software and most know how important it is to keep firewalls running. And yet malware infection remains prominent year in, year out. Why?
Again, it seems as though awareness is failing to change behaviour. In the past, tried and tested content on device security has failed, so security awareness training on device security needs to go beyond what’s been done before.
Framing device security training in terms of the personal benefits users can expect is usually a good idea. For example, CybSafe’s module on device security opens with the line “This module will help you save money by showing you how to set up your computer securely.”
Related to device security is content on malware, which should cover the different types of malware and how infections occur. As research shows we tend to ignore security warnings, it’s worth including information on the importance of heeding security warnings, or even going one step further and decoding what ambiguously written security warnings are actually trying to say.
Including content on the signs of infection is also crucial. On average, it takes 197 days to detect a data breach or malware infection linked to data loss – yet the warning signs are often clear.
9. Breach recovery
Most security professionals agree on the naivety of failing to plan for a data breach – yet information on breach recovery is seldom included in security awareness training campaigns. The depth of subject matter necessary will vary depending on the audience. At the most basic level, people need to know how to report breaches. When training security teams though, more detail will be needed.
10. GDPR and data privacy
The General Data Protection Regulation is a far-reaching regulation and one that leaves those who handle data with some additional responsibilities.
Security awareness training that covers GDPR and, most importantly, puts it into context for various areas of an organisation, not only helps organisations comply with the regulation, but reinforces the importance of the secure processing of data – an essential point, but one which some seem to have been forgotten.
All ten topics above are now covered in detail by the CybSafe platform, which updates not just as the threat landscape changes but also as your people’s security understanding and behaviours advance.
After learning about individual knowledge levels and behaviour patterns, CybSafe uses behavioural change insights to advance security awareness, behaviour and culture. At the same time, it uses machine learning to continually move key security metrics in the right direction, demonstrably reducing human cyber risk. To see how it works – as well as what’s included – arrange a free demonstration here.