How to Improve Security Awareness Training
The article discusses the challenges of securing stakeholder buy-in for security awareness training by emphasizing the importance of communicating its value in clear, non-technical terms, addressing misconceptions about risk—especially among high-level individuals who are prime targets—and tailoring training to actual demonstrated vulnerabilities to improve engagement and reduce organizational risk.
Welcome to Gone Phishing, a show diving into cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals.
Improving Security Awareness Training and Reducing Risk
One of the biggest problems often seen is struggling to get buy-in from clients when it comes to awareness training—deploying it, buying it, or managing it. Getting a client to buy in to the extent that they're willing to pay for a security awareness training program can be challenging. The main struggle is communicating value.
Addressing Stakeholder Objections
A common complaint from stakeholders is, "I don't need this. I'm not the risk." However, the reality is that stakeholders, especially those at the top of the organization, are often the most targeted individuals. They typically have the most access to sensitive information and are the most valuable targets for malicious actors. There is often a disconnect between their perception and reality.
When this conversation occurs, it's important to explain to stakeholders that unless they demonstrate risky behavior (like giving away credentials or falling for phishing), they won't receive additional training. The goal is to tailor training to demonstrated needs.
Communicating Effectively
Many practitioners use acronyms or technical jargon, which can alienate non-technical stakeholders. It's crucial to communicate in terms and at a level that clients understand. Practitioners must bring their expertise to the client's level, ensuring the value of security services is clear.
If stakeholders are not engaged or do not understand the value of an effective awareness training program, their employees are unlikely to care about it either. Most people see cybersecurity as a confusing black box and may not care unless it's made relevant to them.
Explaining Security Concepts Simply
For example, instead of using acronyms to explain multifactor authentication, say: "If your password gets stolen, the attacker still needs another piece of information to access your account." Explaining concepts in relatable terms increases buy-in.
What Drives Awareness Training Purchases?
Currently, most buying decisions for awareness training are driven by:
- 1.Cyber insurance requirements
- 2.Compliance frameworks
If you don't have a security framework, consider looking up CIS controls and NIST 800-171 as a starting point. Higher implementation groups in CIS controls can provide additional security.
However, what should drive the decision—but often doesn't—is a culture of security aimed at reducing risk. A culture of security means employees don't ignore training and understand basic security principles, even if it's not part of their direct job description.
Some companies now include in job descriptions that employees are responsible for conducting themselves safely and securely from a cybersecurity perspective. This sets the expectation from the beginning and helps keep the business secure.
Creating a Culture of Security
One of the most effective ways to reduce the risk of a breach is to create a culture of security from the top down. Stakeholders, managers, and employees all need to buy in.
At Phin, a welcoming program is created before training begins. New users are informed why they're enrolled, the importance of the training, and what is expected of them. If users fail assessments, they are told what will happen; if they excel, they are recognized. Being transparent about expectations and reasons for training increases buy-in.
Three Steps to Get Started
- 1.
Sell the value and relationships, not the tool.
- Focus on the benefits of security awareness, not just the specific tool being implemented.
- Explain how training will help employees recognize and handle threats.
- 2.
Be a security expert or partner with one.
- If you lack expertise in certain areas, consult or partner with security experts.
- It's important to be able to explain security concepts clearly to clients.
- 3.
Experiment with bundling services and tools.
- Offer bundled solutions tailored to client needs, such as basic, advanced, and business advanced tiers.
- Ask trusted clients for feedback on custom-fit plans.
Implementing awareness training today should focus on selling value, leveraging expertise, and bundling services. According to the Verizon Data Breach Investigations Report, 88% of breaches involve human error or credential abuse, making security awareness training critical.
If you have questions, you can reach out via LinkedIn or the Phin Security website. Additional videos on security awareness topics are available on YouTube.
Thanks for tuning in to Gone Phishing.
If you want to learn more about high-quality security awareness training campaigns and how to launch them to engage employees and change habits, visit Phin Security at phinsec.io.