2 December 2021
What is User Awareness Training and Does My Business Need It?
Security breaches are painful, costly, and harmful to an organisation’s reputation, so it is safe to say that prevention is far better than cure. There are, of course, many excellent technologies designed to help, but are you overlooking something equally important? If you’re not already conducting user awareness training, here’s why it is an important consideration.
What is cyber security awareness training?
Cyber awareness training is content built to teach and help personnel understand their security responsibilities, and how their actions can affect risk. The content and delivery of the cyber security training will vary depending on the objectives of the organisation and the existing knowledge of those being trained.
Why is security awareness training important?
A successful cyber-attack is reported every eight minutes in Australia, so it comes as no surprise that cyber security is a growing concern across businesses. Technology alone is not the answer. In a complete cyber security protection strategy, it is critical that people are trained to detect risks and report on potential events before they become significant. While phishing emails are a common battleground for businesses, there are many other types of events that could cause a data, compliance or legal breach. It takes a culture of security awareness to present the best defence.
Does cyber security awareness training work?
Like any training, your knowledge will improve on a subject if it’s a focus. The more effort you put in, the better the return. Doing a once off training course will improve knowledge, but it can be quickly forgotten. The ongoing approach will provide the best learning outcomes and create more cyber-safe habits. Plus, cyber security risks are constantly evolving, so that single training session could soon be outdated.
What type of cyber security events will users learn about in training?
This is not a one-size-fits-all type of training. Needs will vary according to factors such as industry, level of awareness, user experience, and types of roles involved. For this reason, custom-built training is the most effective. Content may include checking legitimacy of emails, the implications of posting work information online, securely sending and receiving files, and password management including two factor authentication.
What are the most common user-related risks?
Risks vary, but among the most common are unsafe use of online payments, missing email red flags, poor password practices, and not adhering to a clear desk policy. These can all be very effectively addressed.
How do I know if the training is working?
Testing at the end of each training session will check that the information is understood. To make sure that user awareness is at a sufficient level, it is also worth conducting a phishing simulation. This will pinpoint users who need a little extra help. For one customer who implemented user awareness training, initial testing showed that 50% of users clicked on a phishing simulation, but after ongoing training, this dropped to less than 5%.
Any other advice?
We have found that after an initial session, ongoing training works best in bite-sized pieces that can be completed in five minutes. We use these short, engaging, online knowledge boosters to fit easily in the working day, and tailor content to suit the users involved.