Welcome back to the blog series dedicated to helping you secure your infrastructure in 2019. You’re here, that means you’re interested in what you can do to better secure your environment and that’s awesome! Let’s start off with the topic that I believe provides the best Return On Investment (ROI)—security awareness training.
Get the most bang for your buck
Best ROI? What are you talking about? It’s true that security awareness training requires zero out of pocket expense, but that’s not why I say it provides the best ROI. Non-technical end-users are at the tip of the spear in cyber warfare and they are generally unaware of the dangers awaiting them. It’s our job to arm these users with knowledge in the form of security awareness training. Think of this training as a map of a minefield, outlining where all of the buried mines are located. Users would then be informed of the dangers and would know where not to step. It’s the same thing in the daily use of a computer system.
The risk of not providing security awareness training
In the right situation, it only takes one mouse click to allow an attacker to bypass all of our efforts. We can spend endless amounts of money on the latest artificially intelligent system to protect us, but one wrong click could bypass that system in one way or another. We need to arm our end users with the knowledge to safely do their jobs and not put the organization at increased risk.
Easily increase network security
Security awareness training generally includes having users take an online training course, but it doesn’t have to. We could hold quarterly 10-minute meetings to discuss a topic such as phishing, and how to spot a phishing email or website, then send out some examples to end users the next week to reinforce the ideas. If you really want them to pay attention, provide a prize to who can spot the phishing emails. As the saying goes, “competition breeds excellence”. That holds true in this scenario as well. You can also hang reminder posters, but please, make them entertaining. This will get people’s attention, and they may even look for the latest posters to see what they entail.
When planning training, make it fun. Offer a trophy for being awesome at security. Use your imagination! Try a security-based scavenger hunt, or gamify a phishing campaign by keeping score of who spots the phishing emails or phishing websites.
Purchasing online security training
If you do want to purchase online training for your users, there are lots of great options available and most are pretty reasonably priced. The nice thing about many of these training options is that there’s a built-in test to quantify the results. Some even offer the ability to execute a phishing campaign to test your users, which can be a very good learning opportunity for them. I highly recommend praising those who do well at security as it will set a positive experience for security-related situations. Doing this will increase the chances of your users reporting possible security issues to you, which is what we want.
In the end, the more we educate end users, the better off our organization will be when it comes to making our organization safe from cyber threats.