A Guide to Security Awareness Training

What keeps security professionals up at night? Hint: it’s not cybercriminals. It’s employees. 

One employee mistake — like joining an unsecured network, accidentally clicking a phishing link or sharing a password — can lead to a data breach that severely damages a company’s reputation and revenue. In fact, Security Magazine reports that 60% of companies experienced an insider threat in 2022.

With the growing risk of insider threats, how do you keep your company safe? Security awareness training can be a powerful tool, but not all companies implement it effectively, with employees often forgetting takeaways from an annual course.

In this article, we’ll share tips on strengthening your security awareness training, including what to focus on, why it’s important and, most importantly, how to run a successful initiative that drives secure work habits year-round.

What is security awareness training?

Security awareness training is a strategy for educating employees on how to safeguard their organization from digital and physical security threats. The most effective training outlines proper cyber and office hygiene and explains the security risks associated with non-adherence and offers users solutions on working more securely. 

Additionally, regular training and testing of employees’ knowledge as part of a larger program reinforces security best practices and company policies. This approach increases the likelihood that employees report incidents quickly and decreases the chances of a data loss.

Most organizations establish security awareness training in order to comply with industry frameworks and regulations including the:

• International Organization for Standardization (ISO) 
• National Institute of Standards and Technology (NIST) 
• Health Insurance Portability and Accountability Act of 1996 (HIPAA) 
• Sarbanes-Oxley (SOX)
• Payment Card Initiative (PCI) 
• FedRAMP

Companies that fall out of their required compliance risk legal penalties, paying fines and losing business.

But even if not required for compliance reasons, companies should provide regular security awareness training because informed, security-conscious employees reduce some of the risks presented by internal and external threats and can limit the financial and reputational impacts.

Why is good security awareness training important?

Unfortunately, human error accounts for a large majority of security breaches. According to Stanford University Professor Jeff Hancock, 88% of data breach incidents are caused by employee mistakes, like using unsanctioned software or hardware, improperly disposing of documents or granting too generous application and document permissions. Security awareness training helps prevent these mistakes by equipping employees with the knowledge and practice for avoiding risky data movements and online behavior.

Often due to lack of people resources, some companies are unable to institute good security awareness training. However, a proactive approach to security awareness training can help minimize insider risk and save in the long term by avoiding expensive losses and lawsuits.

How often should you conduct security awareness training?

Security awareness training shouldn’t be a one-and-done or annual exercise since new ways for data breaches to occur crop up daily. It’s easy for an employee to forget the best practices they learn during onboarding or a yearly course. 

Small, strategic doses of security training make it more manageable for people to retain information. Cyber security experts also suggest making training applicable to an employee’s job. Testing employees on their recent actions can help ensure that the content sticks. Employees should receive training during onboarding and throughout their tenure to help them keep security best practices top of mind.

Ongoing, proactive training reminds employees to apply the techniques they’ve learned, keeps them informed of new procedures and creates a security-first culture.

Critical components of a security awareness training program

Because security awareness training is only one portion of an effective security awareness program, it’s important to understand its other components. Of course, programs may differ based on an organization’s size and industry regulations, but some core elements typically include:

• Security policy and best practices: Being clear about what you need employees to do to protect data is the foundation of any program. It needs to align with your policies, and be relevant to the learner’s job and day-to-day activities. Using various formats — videos, slides, instructor-led — makes learning accessible for all types of learners. Consider building lessons with increasing levels of complexity to match people’s baseline level of security knowledge. Training that points out when employees put data at risk in real time can reduce accidental and negligent data leaks as well.

• Literacy testing: Ensure your employees gain and retain the training content by adding a quiz after each training. Knowing they will be quizzed helps employees pay more attention to the training. Quizzes don’t need to be long, but test on the most important points in your policy that were covered in the training. Recalling their new knowledge will help them to retain it.

• Internal communications: Company-wide or department-focused email campaigns are great ways to keep security at the forefront of employees’ priorities. Additionally, if your company uses a relevant messaging app or Slack channel, discussion prompts or message reminders are another strategy for supporting ongoing awareness. Use these channels to advise employees they are the best eyes and ears to daily risks or threats to the business – and they should not be afraid to report any concerns to security immediately.

• Metrics: You can measure program success a few different ways. Take note of the number of security events before and after the program’s implementation to see if there is a decrease in events. Watch your reporting inbox to see if your employees are reporting more risks. With your phishing campaigns, note the level of difficulty of each phish and compare similar difficulties to see if clicks decrease over time.

Creating fresh, highly applicable content with consistent reminders helps increase the chances of preventing missteps and increases the chances of employees reporting suspicious activity.

How to run successful security awareness training

The best training programs consider varying degrees of knowledge and learning styles. Keep these variables in mind when purchasing or designing content that employees can relate to and remember.

But employees aren’t the only people who safeguard company data and networks. Consultants, interns and contractors are all responsible for protecting your organization, too. Include role-based content for these groups in your program to enforce company security policies and best practices.

Important security awareness topics

There are many important topics to cover during security awareness training, and they may vary by industry or compliance obligations. Here are a few essential basics to get you started:

• Phishing: Over 500 million phishing attacks were reported in 2022, making it one of the most common forms of cyber crime. Your users should recognize the telltale signs of phishing, like suspicious links, spoofed pages and messages from fake social media accounts and know how to report them.
• Office hygiene: As more and more organizations bring workers back to the office, don’t forget to include physical security training. Workers should be wary of letting unknown people into secured areas, take measures to protect their screens and lock down any paper or hardware at their workstations.
• Wireless networks: If your employees connect to an untrusted wireless network while working remotely, they can unknowingly share data or credentials with an attacker. Teach them to join only trusted networks.
• Password security: Prompt employees to follow the company’s strong password policies and not to create easy-to-guess passwords. 
• Malware: Malware can come in many forms, so your employees should know the different types of malware that exist, how malware attacks happen and how to report a suspected malware infection.
• Compliance and GDPR: Upholding privacy and security regulations is critical to doing business in today’s marketplace. Implement best practices for protecting sensitive information and maintaining compliance with the industry regulations you adhere to. 
• Insider threats: Departing employees, exhausted workers, malicious insiders and security evaders could become potential attack vectors. Users should understand data sharing best practices in their own roles so they build better security habits.

Your security awareness training program needs more than just covering each of these topics. It also needs to be dynamic enough to keep up with newly emerging threats, too.

Actively work to reduce insider threats

Employees stand as your first line of defense against internal and external threats. But without the right knowledge and nudges, they won’t be effective. Give them the tools they need to support your organization. Explain the gravity of their role and provide them with top-notch training that teaches them how to keep your company, your customers and your partners safe.

Code42’s Instructor is targeted security awareness training that addresses data loss risks whether intentional or a result of employee error. It has 60+ lessons tailored to the employee experience and can address risky actions in real time. Instructor operates with Code42 Incydr, a data protection solution that detects risky data movement and allows security teams to quickly investigate high-risk activities as they happen. If the employee activity is low-risk, an Instructor training lesson is sent automatically, covering what they did wrong and the best way to prevent further mishaps.

The Incydr and Instructor duo are a win-win for both sides — employees can learn more secure behaviors in real time so they make less mistakes moving forward, and security teams can focus their time on the bigger, high-risk data exfiltration.