People are the First Step in Securing the Enterprise
One of the quick wins that an Information Governance (IG) program can bring to an organization is the implementation of a Security Awareness Training program. Information Governance programs are implemented to reduce risk and maximize information value. Security Awareness Training programs are an excellent way to reduce risk and they are easy to implement. Employees have many bad habits that
can leave a company vulnerable to data breach scenarios.
In response to the ever-increasing cybersecurity threat faced by business, a new sub-segment of the Information Security market has emerged and matured in the last five years. The Security Awareness Training market grew 54% from 2015 to 2017. Projected revenues for 2018 top $400 million dollars.
Cybersecurity threats are constantly evolving. One of the important things to understand when evaluating Security Awareness Training programs is the vendor’s cycle for new content development and deployment in the training platform. Some of the features to look for and evaluate when selecting a Security Awareness Training product are:
- Interactive content in varied formats designed to keep learners engaged
- Training designed to teach resistance to multiple forms of social engineering
- Optimization for smart phone and
- Gamification and other methods to engage employees and increase participation
- Pre-structured campaigns for different types/levels of employees
- Role-based training with optional customization based on corporate environment
- Robust library of existing content and flexible micro-learning topics
- Internal marketing material and communication tools for use by the HR department
- Short lessons, approximately 5 minutes in length, certainly less than 10 minutes each
- Integrated quizzes and metrics to track employee participation and knowledge retention
- Integration with corporate LMS
- Integration with end-point security systems
It is important to understand that SAT products typically include not only training, but also simulated attacks. Therefore, the way in which the SAT product interacts with existing cybersecurity defenses is a serious consideration. For example, if the training program administrator sends out a simulated phishing attack email, that email needs to make it through the SPAM filter and into the employee’s email inbox before the employee can be tempted into potentially clicking on the bad link.
In smaller companies, it may be sufficient to whitelist to the domain from which the phishing email is being sent. In larger organizations which have Security Information Event Monitoring (SIEM) and other automated cyber defense systems, the company’s IT/Security Team would likely request integration of a notification process for the simulated attack campaign in order to avoid a rash of false alarms from the security monitoring systems.
Security Awareness Training can provide a quick win for IG programs. The training immediately reduces risk. At the same time, management can point to the employee participation metrics as proof that proactive efforts are being made to enhance the organizations’ security posture.