Phin Security

Why Security Awareness Training Matters to You

Security awareness training (SAT) is crucial for individuals and managed service providers because, when well-designed and adaptive to changing social engineering threats, it reduces breach risks by engaging and supporting employees, fostering positive sentiment and management buy-in, whereas poorly managed programs lead to disengagement, resentment, and ineffective security outcomes.

Today, let's explore why security awareness training (SAT) is important for both individuals and managed service providers (MSPs). We'll look at the pitfalls of a bad SAT program and the benefits of having a good one.

Why Is Security Awareness Important?

When done well, security awareness training reduces the risk of a breach. For cybersecurity professionals, the fear of a breach is a constant concern. SAT helps prevent some of that anxiety by equipping people to recognize and avoid threats.

People are uniquely vulnerable to social engineering, and that vulnerability changes as the world changes—politics, world events, new products, changes in employment, and life events all affect what someone might be susceptible to. As these vulnerabilities shift, the training and tools provided must also adapt. If training doesn't keep up, risk isn't reduced.

Pitfalls of a Bad Awareness Training Program

Some common issues with poorly designed SAT programs include:

  • Employees dislike or even hate the cybersecurity team or the MSP providing the training, often due to the way the program is managed.
  • The training may be punitive, with compensation tied to phishing test results, which is damaging to the goal of making people feel supported and properly equipped.
  • Employees mentally check out and stop engaging with the program.
  • The program fails to support the employees it's meant for, leading to disengagement and ineffectiveness.

Benefits of a Solid Awareness Training Program

The primary benefit is a reduced risk of a security breach because employees are properly equipped. Other benefits include:

  • Improved employee sentiment toward the program.
  • Increased engagement with the content.
  • Employees feel supported rather than badgered.
  • Management buy-in leads to organization-wide support.
  • Employees view the program as a necessary part of their work, even if it's seen as a necessary inconvenience.

How Does a Good SAT Program Affect Individual Risk?

When people are properly trained to recognize social engineering, several positive outcomes occur:

  • Fewer false phishing reports (e.g., marketing emails mistaken for phishing).
  • Reduced burden on security operations centers (SOCs) and technicians who evaluate reported emails.
  • Individuals become better at distinguishing between legitimate and malicious communications.

The Human Element in Security Breaches

According to Verizon's Data Breach Investigations Report, 82% of breaches involve the human element. This includes not just social engineering, but also errors and credential abuse. While not all of these are due to a lack of awareness, humans are often at least partially responsible when their credentials are abused.

The Growing Importance of Security Awareness

Technology is becoming more deeply ingrained in our lives. It's nearly impossible to function in society without a smartphone or computer. As technology becomes more prevalent, the opportunities for abuse shift from technical vulnerabilities (like zero-day exploits) to human vulnerabilities.

Humans are likely to remain the easier target for attackers, making it crucial to equip people with the skills to recognize and respond to threats. This is essential for reducing the inefficiency and losses caused by security breaches.

Looking Ahead

Future episodes will feature experts discussing topics like the intersection of security awareness training and cyber insurance. Legislation and compliance frameworks increasingly require SAT, and the insurance industry is looking at SAT as a way to reduce loss ratios, given the high percentage of breaches involving the human element.

Thank you for listening. Security awareness training is important for everyone, and understanding its value can help protect both individuals and organizations.