Security Awareness
The Biggest Security Awareness Misconceptions – Part 1
There’s a conversation that has been playing on repeat about Security Awareness. It usually goes something like this…
Risk Assessor: “Do you have a Security Awareness Program?”
IT Director: “Yes, we run phishing tests regularly.”
Risk Assessor: “Good. But, there is something you should know…”
According to Proofpoint’s 2021 State of the Phish report, 29% of organizations strictly use simulated phishing tests as their Security Awareness program. However, simulated phishing tests alone will not provide marked improvements to security postures that organizations need to battle against today’s sophisticated threats.
Debunking common phishing training misconceptions
To begin maturing your Security Awareness program based on facts, we must first review and debunk the most common misconceptions:
Misconception |
Reality |
Anti-phishing tutorials are an efficient way to provide Security Awareness training. |
Security Awareness training is MUCH more than just phishing training. |
Phishing trials help train users to avoid attacks. |
Phishing trials are not training. They are a narrow metric for only one of many important aspects of Security Awareness. |
A canned Security Awareness training video will lead employees to change behaviors that threaten information security. |
Security Awareness PROGRAMS include adult learning techniques that lead to behavior change such as activities and opportunities to practice implementation of new protocols. These techniques typically include several forms of training media. |
Employees that fail phishing tests should be called out and reprimanded. |
Phishing remediations should never be punitive. |
The danger of believing and operating Security Awareness efforts based on these misconceptions is that they lead to failures and then companies are left with the aftermath of social engineering attacks, and still needing to improve security culture. However, this cybersecurity challenge is very manageable if misconceptions of Security Awareness are replaced with facts.
Broadening Security Awareness Programs beyond phishing simulations
While phishing is an important aspect of Security Awareness it is only one of over a dozen critical domains that Security Awareness should include. Some areas to branch out include:
-
- Role-specific training: Security Awareness Programs for C-level employees, members of the board, and director-level positions should be specialized based on the kinds of social engineering attacks designed to target these roles.
- Training that includes a range of specialized attacks: Attackers are creating sophisticated attacks, so training should include attacks against brand names, product-related social media hoaxes, proper tabletop exercises for dealing with cyber security incidents as well as documenting due care and due diligence.
- Education on risks: Directors and managers need to understand the risks and signs of insider information theft, information leakage, and sabotage by disgruntled workers. Sadly, many times organizational leaders have never even seen a Risk Assessment for their organization and may assume Vulnerability Assessments are the same as Risk Assessments.
- Hands-on practice: Security Awareness Programs for information workers must include exercises to make sure employees know who to contact if they suspect malware or any kind of incident and exactly how to make this contact. Understanding social engineering attacks that leverage mobile devices, removable media, social media, physical intrusion, identity theft or home office exploits are basic critical components of any Security Awareness Program.
- Gaining buy-in to a culture of security: Security Awareness Programs are not just for teaching about social engineering, but also making sure employees have buy-in for organizational security controls and policies. If employees feel that security controls or policies just get in the way of their work they will circumvent these controls making them worthless or worse.
Where to start changing for a better Security Awareness program
Now that we have revealed misconceptions of phishing training and Security Awareness programs, and replaced them with facts, it’s time to begin the improvement process. In part two of this blog, we’ll guide you through how to tackle key enhancements for a more effective Security Awareness program. To ensure you are alerted when the next blog goes live, be sure to subscribe.