We often get asked why companies need to do security awareness training. Most people are surprised by our answer that every company, regardless of size or type (B2B vs B2C), should do some form of security awareness training. We say “some form” because, despite most of the security awareness training platforms and vendors looking crazily alike, security awareness training can and should take different forms for different companies and different learners.
Why does every company need to do some form of security awareness training? There are three reasons.
#1 You have to do security awareness training for audits, regulations, and your customers.
These are external forcing factors that require companies to do security awareness training. This is usually the impetus that forces new companies to start doing security awareness training. It’s also the primary value most companies get from their security awareness training vendor. At Heakka, we view this as check-the-box training.
Every regulation and reporting regime, from HIPAA to SOC 2 to PCI to GDPR, requires some form of security awareness training. And they all require evidence of that training. Most companies, in order to check the box, implement annual security awareness training. While not being super effective, it does check the box for audits and security reviews.
#2 You should do security awareness training because employees represent the biggest risk to your company’s data.
Your employees represent your biggest vulnerability. Depending on what numbers you look at, somewhere between 70% and 90% of security incidents result from employee decisions and actions. It’s important to remember that the playing field is not level and employees are inundated with attacks against them. Employees need help to effectively combat these attacks. That’s where effective security awareness training comes in.
Using a technical analogy, if even 5%-10% of security incidents resulted from vulnerabilities in one component of your infrastructure, you would invest heavily in resolving those vulnerabilities and mitigating the risk associated with that one component of your infrastructure. The same should hold true for human risk, or vulnerabilities associated with your employees.
Effective security awareness training, defined by Haekka as training that improves employee security hygiene and reduces the risk to the company, needs to go beyond annual, check-the-box training that is often used for audis. Effective training engages employees on an ongoing basis. It’s relevant to their work. In 2021, with employees working remotely and jumping between multiple apps to accomplish single tasks, forcing employees to jump out of the context of their current work reduces adoption, engagement, and effectiveness.
#3 To help employees defend against the attacks waged against them
Our mission at Haekka is to empower companies to go beyond checking the box. We believe the primary job to be done with security awareness training is to help your employees combat the non-stop onslaught of sophisticated attacks being waged against them. If you can accomplish this, then you’ve addressed all of the reasons why you should do security awareness training.
This does require a slight reframing of the problem and realization that employees are the underdogs against better resourced and more focused adversaries. For employees, security best practices should be built into everything they do. The challenge is that the types of attacks and associated security best practices are changing constantly.
In 2021, there will be entirely new approaches to social engineering and entirely new cloud services and SaaS apps where poor security hygiene can cause security incidents. Employees just can’t be expected to keep up while doing the rest of what they have to do each day. Employees need help. They need effective, ongoing training built into their daily work.