By Jason Hoenich on Aug 21, 2018
A single person at a subsidiary of Anthem, the second-largest health insurer in the country, clicked on a phishing email. This one click allowed someone to hack the personal information of 78.8 million Anthem customers. The cost was estimated at over $100 million (CSO).
The incredible damage done by a single mouse click illustrates the importance of security awareness training (i.e., the training that protects the company data of an organization by creating immediate and permanent changes in employees’ behavior). Security is not just a matter of installing technological safeguards, but ensuring that people act properly. The National Institute of Standards and Technology (NIST) warned, “Failure to give attention to the area of security training puts an enterprise at great risk because security of agency resources is as much a human issue as it is a technology issue.”
Many governments and corporations have invested in security awareness training programs. Gartner estimates the security awareness training market will grow to $10 billion by 2027. These trainings protect enterprises from data breaches and are necessary in certifying compliance with a wide number of regulatory standards, including:
- Federal Information Security Management Act (FISMA)
- Gramm–Leach–Bliley Act (GLBA)
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
Ironically, the need for compliance with standards can actually cheapen the quality of security awareness programs. Both executives and workers may ignore the outcomes of the training because they view it as just jumping through hoops to meet regulations.
In addition to regulatory compliance, what should the outcomes of security awareness training be? Establishing clear goals can be super important in the rollout of a program. If leadership doesn’t understand what the training is supposed to do, they won’t buy into it. Not only will program administrators find themselves justifying the training over and over to skeptical executives, but workers will sense their superiors’ disinterest and follow their lead.
Goals should be determined according to the specific needs of the company, its culture, and its language. There are a number of ways of expressing the chief deliverables of security awareness training, including:
- Nurturing a culture of security.
- Creating a secure-minded workforce.
- Communicating correct security behavior.
- Protecting the organization’s reputation.
- Strengthening the human element of security risk.
No matter how you phrase it, it all boils down to affecting people’s conduct. Security awareness training increases safe behaviors.
Unfortunately, some security awareness training is conducted by people who have no experience in influencing behavior. Because information technology (IT) departments set the security standards, IT professionals often do the training. IT experts understand cyber hacking, but they are not in the business of communicating, educating, or altering behavior. Effective security awareness training requires the soft skills of persuasion, not just the hard skills of technology. As Jason Hoenich, founder and Chief Product Officer for Habitu8, puts it, “What we're doing is security marketing. It's no different than Super Bowl ads. We're just trying to capture attention and change behavior.”
Just like marketing, security awareness training has struggled with metrics. Executives often demand proof of ROI in security awareness programs.
Measuring people’s behavior is difficult, not impossible. After a successful security awareness training, your organization should experience:
- Fewer data hacks.
- Less work time lost to security problems.
- Fewer responses to phishing emails.
- Quicker response times to fraud attempts.
- Increased employee reports of fraud attempts.
- Decreased employee efforts to access unauthorized webpages.
- Greater knowledge of personnel’s responsibilities and risks.
The behaviors you affect (and measure) should be decided after a careful examination of your organization’s strengths, vulnerabilities, and priorities. For example, stolen credentials are a major problem for retail companies, while organizations in the accommodation field are especially vulnerable to fraud at point of sales (POS) (Verizon’s 2018 Data Breach Investigations Report).
When crafting the goals of your security awareness problems, be sure to talk to the employees about their concerns. You will not only gather important information, but you will create buy-in from the staff.
A good template for an effective security awareness program can be found here in our Security Awareness Program Plan & Strategy Guide.