Do you need security awareness training?

The short answer is yes, you do need to do security awareness training at your company. There are few reasons why this is a firm requirement.

1. Your customers demand it. Whether you sell to other companies or to consumers, your customers need to trust you. Security awareness training is a key part to creating and maintaining trust. In the case of business customers, many have security questionnaires that ask explicitly about security awareness training.
2. Your auditors demand it. In 2021, SOC 2 is table stakes for B2B companies. Or, if you operate in Europe, you have to comply with GDPR. Or you work in a regulated industry like healthcare or finance. SOC 2, GDPR, HIPAA, and PCI all require you do security awareness training.
3. You have to reduce the risk to your business. Employees account for 90% of security incidents. The most successful way to reduce this risk is with effective and engaging security awareness training.

What regulations require security awareness training?

As stated above, every privacy and security regulation we know of requires security awareness training. A sampling of the specific requirements, by regulation, is below.

• SOC 2. CC2.2: Communicates Information to Improve Security Knowledge and Awareness states "The entity communicates information to improve security knowledge and awareness and to model appropriate security behaviors to personnel through a security awareness training program."
• HIPAA. 164.308 (a)(5)(i) states "Implement a security awareness and training program for all members of its workforce (including management)."
• GDPR. Article 47, 2. (n) states - "the appropriate data protection training to personnel having permanent or regular access to personal data."
• PCI. Requirement 12 Conduct Security Training for Entire Workforce

What does effective security awareness training look like?

Most training for cybersecurity is not effective. It is not effective because it is administered annually, not continually, and it is not relevant to the way companies or employees work in 2021. Most security awareness training is infrequent and does not map to the ways in which modern work is done. Additionally, most security awareness training does not cater to technology companies or technology groups.

Employees represent the largest threat to corporate systems and data. Unfortunately, they’re also the most common cause of security incidents and data breaches. With remote workers and cloud-based technologies extending the human threat vector, it has never been more important to get GDPR training right.

Effective privacy starts with privacy policies and procedures. Translating policies into day-to-day work, ensuring those procedures are followed, and maintaining evidence of their execution is not easy. Proper training can help close many of the gaps and, at audit time, make life a lot easier for you and your auditors.

The Haekka team has created and managed privacy and security programs for growing companies. We have written and and taken part in privacy training for 100s of entities. We’ve also participated in or have run over 1,000 cybersecurity audits and assessments. In order to be successful with training, and to limit the risk to organizations, security awareness training needs to be ingrained into the culture of the organization. In our experience, the following ten elements are essential aspects of effective security awareness training.

1. Don't use jargon

Cybersecurity leaders live in the world of security. It is their primary function and most of what they think about on a day to day basis. As such, they tend to use their own vocabulary of terms. Some of these terms are things like phishing (or vishing), malware, defense in depth, 2FA / MFA, breaches / incidents, and others. These terms aren't super specialized and yes, a lot of people in technology know all or some of these terms. But effective security awareness training works for everybody at your company - from technology to marketing to sales to operations to finance and on and on.

As such, the terms that are used in training need to be defined the first time they are used. And it's often worth re-defining them or re-stating them each time they are used. In fact, one of the goals of security awareness training should be to establish a common language, as a baseline, around cybersecurity at your company.

Whether you write your own security awareness content or you buy content from a vendor or consultant, you should audit the content to ensure readability for all of your employees and you should get feedback on content to ensure there is no ambiguity in terms.

2. Delivered with spaced repetition

Security awareness training, especially if it is kept up to date with new threats and tools, often contains new material for learners. Most people do not have a background in cybersecurity and, even those that do, cybersecurity is a fast moving area of technology and social engineering. Most security awareness training is done on an annual basis. Conducting training annually on new and foreign material is not effective. Checking the box on security awareness training by doing the minimum interval necessary guarantees your employees will not comprehend or be able to apply it, meaning it will not actually improve security hygiene.

One effective technique that works particularly well for security awareness training is spaced repetition. Spaced repetition, or repeating the same lessons at different intervals, is a well-established system to improve retention in learners. Considering the structure of security awareness training, it can be broken down into tagged or characterized content that can be delivered consistently, building comprehension over time. The other benefit of spaced repetition for security awareness training is it enables easier tracking of comprehension for different topics. Below is a video on spaced repetition.

‍

‍

In terms of spacing schedule for security awareness training, there is not a prescriptive approach in terms of the cadence but there is research-based evidence for best practices. The benefit of spaced repetition privacy training, beyond improving comprehension and execution is that it helps to build cybersecurity into your culture.

One of the challenges of going to a spaced repetition security awareness training schedule is the collection of evidence for training. When training is done annually, tracking who has taken it is a lot easier than tracking training on a weekly or monthly basis. Spaced repetition does require rethinking training from the ground up but is one of the more important changes in order to ensure the effectiveness of security awareness training.

3. Put employees in the training

If you have taken modern training for exams or seen kids take online training, you have likely seen the use of scenarios in education. These scenarios are short, cover 1 or maybe 2 topics, and have some form of a question to evaluate comprehension. Oftentimes, they can be completed within 5-10 minutes.

Creating a database, or catalog, of security awareness training scenarios requires work. Maintaining and updating that catalog is necessary to ensure the scenarios do not repeat and become stale. For larger organizations with dedicated training groups and resources, this may be feasible though even these organizations have a hard time doing this. For smaller organizations, this likely requires you to find and buy scenario-based security awareness training or a scenario-based training platform. In any case, the complexity of implementing cybersecurity in 2020 is more complicated than ever before so finding additional resources for training, or other aspects of cybersecurity may be necessary.

Below is a sample Haekka security awareness scenario, a scenario tailored to technical employees.

Today is your second day of work in the IT group at a large bank. It is a consumer bank. Your company serves primarily individuals, not businesses.

You spent most of yesterday, your first day on the job, in orientation and training. The focus of the training was about your job, privacy, and security. This is a bank. Data and systems have to be secured. And data protection is built into the fabric of the culture.

Today you are spending most of your day getting setup with account access. You have an email inbox full of links to SaaS, or cloud, software accounts. You haven't counted but it's at least 10 different software services you need to set up. You have to create unique accounts, with username and password, for each service. To make it more manageable, you use the same password for all of the services. This password also happens to be the password you use for most of your personal accounts like Facebook and Gmail.

What would improve the security of your online identity and accounts? (choose all that apply)

1. Add multi-factor authentication with your phone number.
2. Use a password manager so you can securely store and use unique passwords.
3. Use settings that force you to reset your password every 90 days.
4. Leave your password in a text document stored on your desktop.
5. Do not use dictionary terms.

Answer: 1, 2, and 5.

Explanation: There are several best practices you can use to secure your accounts - using unique passwords for each service, not using dictionary words, using passwords that are over 8 characters in length, using a password manager, and using multi-factor authentication. Changing passwords every 90 days does not help and service provides, most notably NIST and Microsoft, are moving away from this. Your company could also assist in this process by implementing a single sign-on (SSO) solution like that offered by Okta.

The scenario is a good example of putting your employees in your training. This makes the training relatable. Employees see how security awareness applies to the work they are doing and the decisions that they make on a day to day basis. And each scenario comes with a simple explanation, making it easy for employees to comprehend the learning of the scenario.

4. Contextualize training

Security awareness training should be done where your employees work. In 2021, that means the applications and digital tools that your employees use every day. Training in context has been shown to help with the retention of training content. To meet the goal of delivering security awareness training that is effective, it needs to be done in context.

Today, most corporate training, not just security awareness training, is done in classrooms or in learning management systems (LMSs) that reside wholly outside of the tools employees use every day. Employees leave their work to train on things that have no connection to the decisions they make each day. This training is a checkbox.

Security awareness training can be delivered where employees work. In 2021, with remote work, "where employees work" means anywhere. Technology enables easy integrations between security awareness training content and tools people work in every day. Tools like chat, where many employees spend time each day, are great delivery platforms for training content. Slack and Teams have become the operating system for modern work and can be used a training platforms. Since employees are already identified and authenticated in these tools, the collection of evidence for training is easier, as is the tailoring, or adaptation, of training for individual employees.

At Haekka, we intentionally chose to build on top of Slack and to leverage features like notifications, messages, mobile / web apps, and collaboration for our security awareness training.

5. Make Training Adaptive

With security incidents exposing every company to major risk and the vast majority of security incidents resulting from employee decisions, effective security awareness training is imperative. It's not enough to check the box on security awareness training.

Because cybersecurity touches every employee at a company, the training given needs to be adaptive to the roles and responsibilities of individual employees. The broad nature of cybersecurity means that security awareness training should adapt to what each individual employees knows of cybersecurity. Your engineering team may need its own training while all those employees that field or even interact with users should have training tailored specifically to the roles and day to day responsibilities.

Training software developers on how to handle paper records of user data is pretty low value. Teaching security event integration into your system development life cycle process to finance is equally low value. Training should be personal to the job and function.

Adaptive training has been found to improve comprehension by over 20%. This is pretty astounding, and the reason why almost all modern educational platforms used in school are adaptive in nature. Yet, when it comes to privacy training, what we provide to employees is often static, one size fits all training.

Below is a video with examples and research about adaptive learning and adaptive technologies used in education.

‍

‍

6. Bite-Size Material

A key enabler of effective training is breaking training down into digestible chunks. There is always going to be the need for primers and introductions to the major themes of cybersecurity as well as to define common terms. This more generic, more traditional training has a place, namely with new hire onboarding. But, these monolithic training should only be used as a primer and should not be seen as a means to effectively educate your employees about cybersecurity.

Effective training is focused on and addresses a small set of topics and objectives at a time. Within the context of cybersecurity, a limited set of best practices and security hygiene should be taught at a time. Scenarios are a great way to focus content.

Bite-size training content also enables delivery within existing tools such as chat programs like Slack or via email. These programs are where a lot of work is done so the training is delivered and completed in the context of daily work.

One of the major benefits of bite-size training is that it can be wholly delivered in tools you already use, like Slack. There are a growing number of Slack bots and 3rd party integration in Slack, making training an obvious extension of the ways Slack is already used today.

The key to successfully breaking security awareness training into bite-size content and delivering in a continual way is with proper content management. Training needs to be organized and tagged in ways that make it easy to store, retrieve, and link to other training material. It also needs to be dead simple to create, duplicate, and edit. Traditional LMS systems fall short of this as their tagging and content management were not built for agile, bite-size training but for organizing traditional, monolithic training.

7. Build engagement into your content

One of the primary goals of security awareness training, if the training is going to be effective, is to build engagement into the content itself. Engaging employees optimizes the experience and comprehension of learners.

Security awareness training gets a bad wrap. It’s often viewed as a checkbox and boring but it does not have to be. It requires creativity to make security awareness training fun and engaging but there are some guidelines you can use.

• Include interactive QA every 150-200 words, at the most.
• Use QA as a part of the actual training - explain both right and wrong answers.
• Leverage the results of QA to tailor future training.
• Use QA that is hard, but not too hard - feel free to use multi-select and not just multiple choice.
  

These are great shortcuts to start making security awareness content more interactive and engaging.

8. Ensure training aligns with remote work

Remote work is, at the very least, one aspect of the new, post COVID-19 normal. If your company does not do remote work today as its primary form of work, it has to at least support remote work. It is now a must have function to allow employees to work from home and typically from a mix of company and employee-owned devices.

Remote work, whether primary or secondary as the means of getting things done, has a huge impact on employee security hygiene. The ways in which people connect, the ways they share data, the places they leave their devices, and the conversations they have in public or semi-public areas need to follow good security hygiene practices. The security awareness training you provide needs to help employees understand that the work environment itself impacts the security of their devices, data, and workflows.

9. Train like you use modern technology

Most security awareness training was written before the mass adoption of modern technology like the cloud and SaaS. Almost every company today, from small retail to massive Fortune 100s, uses a mix of cloud technologies and SaaS to operate their businesses. Security awareness training in 2021 needs to cover these technologies.

Good security hygiene in 2021 applies to modern technology, including both the configuration and the management of the technology. This is harder than it seems as the speed of technology, in particular the cloud and IoT devices that collect reams of new kinds of data, is changing rapidly. What is possible in terms of data about people as well as what is possible in terms of securing that data, will be different tomorrow. In order to keep security awareness training effective, it needs to be updated regularly to account for these evolutions.

10. Close the feedback loop with employees

Feedback goes both ways. If your company wants employees to follow good security hygiene practices, they need regular training. Employees need to be able to gauge where they are in terms of comprehension at any time. Also, employees need to be able to provide feedback on what is working and not working with security awareness training.

When it comes to feedback to learners, research shows that more feedback and less teaching is best. This is hard to do with security awareness training, at least at scale. One effective way to do this is to leverage technology and gamification to show learners how they are improving, tell them where gaps in comprehension exist and provide clear learning pathways to fill gaps. At Haekka, we do this through intelligent employee profiles that build upon all interactions with privacy training - time spent on training, questions answered correctly, and categories of questions asked about corporate privacy policies.

On the other side of feedback, one of the missed opportunities with security awareness training is getting feedback from employees and leveraging that employee feedback to continually improve content and delivery. Even if you try to apply all of the above features, there are bound to be areas for improvement or adaptation of training. Feedback should be continuous and encouraged, ideally in some way that makes storage and interpretation of feedback efficient.

How effective security awareness training builds a culture of security

Given the current regulatory landscape and public perception, cybersecurity should be a board level, organizational-mission aligned initiative. The collection, storage, and usage of personally identifiable information (PII) and protected health information (PHI) is a liability, a liability every organization needs to address. To successfully minimize the risk associated with data, organizations need to build and maintain a culture of security. Good security hygiene is imperative for every employee at your company.

Effective security awareness training helps to tactically turn cybersecurity best practices into execution. Ensuring your employees follow best practices is the best way to mitigate risk to your organization and user data. It also makes auditing and security assessments much easier.

When assessing the maturity of your cybersecurity program, the execution of your policies and procedures, which should codify your best practices, fall within the 3rd stage of most maturity models, Implementation. Most audits and compliance certifications in 2020, including SOC 2 Type 2, require that the majority of your requirements are at the Implementation stage. Effective security awareness training gets you much of the way there.

But, there will always be times when employees do not have a playbook or specific steps for the work they are carrying out. In these instances, your workforce is the bridge between your cybersecurity program goals and the actual security of your company's data and networks. The way to succeed in implementing cybersecurity when there is no playbook is to build a culture of security.

A culture of security is just that - a part of the culture of your organization. Much like “customer-first” or “move fast and break things”, security should be a part of decision making. Scaled decision making must align to the highest levels of an organization, which is why cybersecurity must align with organizational mission and values.

Effective security awareness training helps to build a culture of security. It empowers employees to make choices involving cybersecurity, decisions we refer to as security hygiene decisions. It helps promote the execution of cybersecurity best practices across your organization in a safe, low consequence way. It helps identify and target areas for improvement. And it helps to foster cybersecurity champions that can scale good security hygiene across your workforce.

Security awareness training, done right, takes privacy and compliance from a bolt-on or check-box to an integrated part of the way your organization lives and breathes. In doing so, it builds a culture of security that extends trust to your users, customers, and partners.

Haekka security awareness training

Haekka training is built from the ground up to be effective for a modern workforce, modern technology, and growing companies. Our training covers the best practices for cybersecurity and goes into detail on good security hygiene practices for the cloud, SaaS, and remote work.

Haekka is delivered and employees engage with it in the tools you use each day, namely communication tools like Slack. Cybersecurity, through Haekka training, becomes a part day to day of your employees and gets baked into the culture of your organization.

Our training is adaptive, making it hyper-focused, relevant, and improving the retention of content. Our training content is continually updated based on the regulatory and technology market so your employees will not fall behind. We use current events, including high profile breaches, to teach security hygiene in a relatable and compelling way.

All Haekka training is logged, meaning you have everything you need come audit time or security assessment time with your partners and customers. Our audit content is detailed and can be exported with real-time data at any time, ensuring you always have the most up to date data for your audits and security assessments.

One of the valuable returns on investment in effective privacy training is that it helps to build and maintain a culture of security. Haekka, using adaptive training and targeted content, helps identify gaps and areas of improvement for your cybersecurity program, meaning you can continually strengthen the role of cybersecurity at your company. All of this translates to reduced risk of security incidents at your company.

We are 100% focused on turning cybersecurity into execution. We empower your employees with relevant training and interactive workflows to ensure your entire workforce has good security hygiene.

Resources for security awareness training

Below are some links to learn more about security awareness training.

• https://securityawareness.usalearning.gov/
• https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/security-awareness-training/index.html

‍