Security Awareness: When asked about preparatory protective measures, the term security awareness training is being used more and more. The topic is being discussed more and more, even in medium-sized companies. The realization that protection with traditional security technologies is no longer sufficient is maturing; now, it must be accepted that investments in new technologies alone cannot solve the problem. Instead, investments must be made in organizational measures and thus in employee training.
But there are misunderstandings here because a one-time security awareness training, in the simplest case even as training in a classroom-like atmosphere, will only lead to short-term but not to the desired long-term effects. That is why there is no need for security awareness training; a security awareness program is required. The term alone shows that this is continuous training and further education. But what should such a program look like, and what options are there for its design?
The following five tips serve as a guide when implementing a security awareness program:
Security Awareness: Adapt Security Policies
First, the existing security policies should be checked and brought up; all employees must have read and signed this document. In addition, it helps all employees if clear guidelines for dealing with recognized phishing emails are formulated. As a rule, these should be forwarded to the security department and moved to the designated spam folder. A poster or a cheat sheet with an overview of the essential so-called red flags helps to identify the signs of a phishing email quickly
Security Awareness Pieces Of Training Must Take Place Regularly
The training courses make perfect sense, but it has to be possible to measure a learning curve. This curve can only be achieved if employees regularly undergo such training and are tested. A frequency of half an hour every two to three weeks has proven itself. In addition, test phishing emails that appear genuine but are harmless are an excellent addition to more theoretical content.
The training courses must be part of the program and accordingly be supported with accompanying measures. It can make perfect sense to add several playful approaches that are also competitive. Different teams or departments can compete against each other and compete for a small trophy (also a challenge cup). All new employees should be trained accordingly during the on-boarding process and confronted with security awareness measures
Carry Out Internal Training Courses
Another recommendation is to include content in the program that is department-specific. The accounting department is confronted with different phishing emails than the management. Marketing, for example, receives more offers, the HR department receives phishing emails in the form of applications, and invoices are preferably sent to management and accounting. Accordingly, a training session must also deal with such examples and, in a dialogue with the employees, determine which forms are already known and which have so far rarely occurred
Varied And Understandable Content
And now to the most crucial topic in a security awareness program, namely the content. They have to be varied. They have to be understandable. They have to pick up employees where they come into contact with security in their daily work. Sometimes a poster on the toilet can be helpful, but sometimes it’s also a little comic next to the screen that reminds you every day what the first and most essential warnings for phishing are. The same content does not work for every employee, so variety is necessary.
Introduce A Security Culture
The aim of every program should be that, in the end, there is a change in the corporate culture in which a security culture finds its way. Nobody needs paranoid employees who trust nothing or anyone. This is the wrong way to go, just like working with punishment. Employees need to be motivated and informed, not deterred. For this reason, constant dialogue and exchange of information about what has been taught and learned are essential.
Employees do not have to be managed. They have to be encouraged. If this motto is heeded, it is possible to create an authentic security culture, which consists of employees who take security seriously but deal with the topic confidently and without fear, without knowing many technical details. A healthy safety culture enables employees to identify threats, understand why they pose a threat, and act safely.
The Increasing Importance Of Security Awareness
Security awareness is increasing in importance. The reports on companies with IT security problems are becoming more and more detailed because readers come more and more into cybercrime through their own experience with digitization. Last but not least, this trend means that companies, when they invest in training, come across attentive employees. This initial curiosity must not be slowed down with boring lectures. On the other hand, those who deliver exciting content in various formats will win the main prize: security-conscious employees.