Are You Making These 5 Security Awareness Training Mistakes?

Author: Joseph Jachimiec, Security Administrator

Is your company making these five security awareness training mistakes? Read on to discover what they are, why it’s important to fix them, and how to get started on the right path.

Imagine this scenario (this shouldn’t be too hard since we’ve all experienced it):

An email from your bank pops into your inbox. They’re performing maintenance on their website and need you to click on a link and login with your username and password to make sure everything is working. The email also warns that you’d better do it right away or they’ll cancel your account!

Seems kind of strange; you’ve received nothing like this from your bank before. And weird… they’ve made spelling mistakes in the email. Something doesn’t seem right, but it’s from your bank after all, and you don’t want your account canceled.

So you take your mouse, hover over the link and…

What you do next could be the difference between a wonderful day and a lousy day. Your next actions will determine whether you move on to more productive things or whether you open yourself up to months of financial misery and identity theft.

What do you do? How do you react when you receive an email like this? Do you have anything in your mental toolbox to help you determine what to do next?

This is where security awareness training comes in. With proper training (and awareness), you know what to do (and what NOT to do) in these kinds of situations.

What is Security Awareness Training?

According to the training experts at KnowBe4, security awareness training is “a form of education that seeks to equip members of an organization with the information they need to protect themselves and their organization’s assets from loss or harm.”

With that definition in mind, here are five security awareness training mistakes I see businesses make all the time. Is your company suffering from any of these?

1. Training Once

It’s great if your employees are getting at least SOME security awareness training. You’ve made the first step and you’re doing more than many other companies out there. But if you’re training “one and done,” you’re making a big mistake. Humans are creatures of habit, so any training should cater to that. Security awareness training should be continual and consistent.

Here’s a schedule that works at Nahan:

  • Weekly – quick or newsy security tip in Nahan News (weekly newsletter to employees)
  • Monthly – online video training modules, automated email phishing tests, security policy overview (or similar topic) in monthly internal news poster
  • Yearly – security policy training and acknowledgment, HIPAA training, PCI DSS training, etc.
  • Onboarding – introductory security training for new Nahan employees. Includes security policies, physical security, HIPAA awareness, and other training. New hires sign acknowledgment forms for Nahan Human Resources.

So you see, training should be ongoing throughout the year. If you make the mistake of training only once, users will fall into the “out of sight, out of mind” trap regarding security.

2. No Signed Acknowledgements

Nahan not only requires employees to sign security training acknowledgments at the time of hire but each year as well. These acknowledgments help with compliance and risk management. They also identify gaps in training (for example, who didn’t sign an acknowledgment this year and why?). Acknowledgments are also an excellent way for employees to feel like they’ve got some “skin in the game” with our information security program. 

Our acknowledgment forms include agreements to:

  • Read and understand pillar security policies
  • Access the full information security manual for future reference
  • Follow the policies
  • Take part in continual security awareness training

3. Lack of Training Variety

To keep things interesting, it’s a smart idea to include a variety of different training materials for your employees.

I like to use everything from Nahan newsletters, online video training, email training, live classroom training, and everything in between. If you ever get a chance to visit us at the Nahan HQ in Saint Cloud, Minnesota, you’ll even notice a few of our security awareness training posters scattered throughout the building. Content variety will help crush boredom and familiarity and will also catch the eye.

If you’re doing only one or two kinds of training, not bad!

Now try adding a third or fourth format to make your training more interesting (and yes, fun) for your workforce.

4. No Phishing Tests

Again from our friends at KnowBe4, “phishing is the process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters.

Emails claiming to be from popular social websites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering.”

Some Phishing Stats

Phishing is a monstrous problem. Check out these statistics:

  • 65% of US organizations experienced a successful phishing attack in 20191
  • 96% of phishing attacks arrive by email2
  • The average breach costs organizations $3.92 million3 

It’s clear that if your organization is not doing phishing tests, it’s a matter of time before you become part of those stats.

Sending scheduled phishing tests to your personnel is a powerful way to train them when facing something suspicious. Be sure to give them a way to report these and other phishing emails and incidents. Perform phishing tests for email first (the most common form of phishing) and add voicemail and USB phishing later on.

An effective test for USB phishing is to drop a USB thumb drive in the break room or copier room of your office. If someone finds it and plugs it in, the USB drive will “phone home” to your phishing system to let you know it’s been activated. At that point, you’ll know to do some extra training.

I’m happy to report that during our Nahan USB phishing tests, no users plugged the drives into any systems; our trained users found the drives and returned them, without plugging them in.

That’s the power of good security awareness training.

Test at Least Monthly

Since email phishing is the most popular attack vector, send email phishing tests at least monthly. Not only does this expose users to “safe” phishing emails (the more they see them, the more they can tell real emails from phishy ones), it instills actions to deal with real phishing emails when they do come in.

When your people are trained to not click on strange email links, not open unexpected email attachments, and report incidents, you’ll be 90% of the way towards protecting your business from malicious phishing attacks.

5. No Training

The biggest mistake is doing no security awareness training at all.

If your team has email and internet access and you aren’t training them, you’re making them fend for themselves in shark-infested waters — except these sharks are malicious attackers using social engineering, ransomware, phishing, infected attachments, identity theft, and more. You must give your people a fighting chance and security awareness training is the key.

One added benefit I’ve seen with Nahan’s security awareness training program is staff taking their new skills home to teach their families how to protect themselves in cyberspace. They’ve explained social engineering to them and have even asked me if training is available for their families. It is! Nahan makes free online training available to all our families.

Bonus Mistakes!

Want more? Here are other mistakes I’ve seen. Are you guilty of these?

No onboarding security training

New employee orientation is the right time to start security awareness training. If your onboarding program doesn’t include a security module, you’re missing a great opportunity to get new hires involved.

A Nahan orientation includes the following security training modules and more:

You’ll also get our HIPAA awareness training, so you know how to protect health information in case your role requires it.

Not reviewing results or user feedback

Security awareness training should produce a measurable result. You want to see trending improvement with your phishing tests over time, for example. If you don’t see the results you were hoping for, you’ll know it’s time to change up the training you’re delivering. What’s not working? How can you improve the results? Asking questions like this will help guide your program tweaks.

Nahan’s Information Security Leadership Oversight Committee (ISLOC) reviews the results of our various information security awareness training activities. Likewise, Nahan’s third-party security auditors also review our results to help make sure we stay on track with beneficial and measurable training.

Conclusion

It’s easy to make mistakes when rolling out a security awareness training program, but if you focus on results and not perfection, you’ll make measurable progress over the long run.

And that’s the key — consistent progress over time, based on training repetition.

Do that, avoid the mistakes in this post, and your workforce will know exactly what to do (and what NOT to do) the next time they receive that fake bank phishing email.

Have more questions about how we train our employees to protect your data? Contact us today!

1 https://www.proofpoint.com/sites/default/files/gtd-pfpt-uk-tr-state-of-the-phish-2020-a4_final.pdf

2 https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf

3 https://www.ibm.com/security/data-breach

Joseph Jachimiec is a security, IT, and marketing professional. As the Security Administrator at Nahan, he heads up our information security program and is the go-to guy for our customer/third-party security audits and PCI, SOC 2, and HIPAA compliance initiatives. In his spare time, he dreams about what it would be like to have more spare time.

Image by LTDatEHU from Pixabay