As businesses transition to remote work and many employees adjust to working from home, organizations need to stay focused on people-centric security. People-centric security places the employee in the center of security measures and is designed to reduce the risk of human error. As bad actors transition away from malware-based attacks to more targeted, social engineering-based attacks that reach insiders directly, it is increasingly critical that organizations understand and address the risk of human error on the job.

When designing and building an effective security awareness and training program, the people element is inherently the focus. A shift to remote working demands security awareness and training programs quickly pinpoint an active people-centric strategy to address the needs of changing environments and user populations with different objectives, triggers and learning styles.

The deviation to remote working means organizations are opening up or extending their traditional corporate boundaries to home networks. To threat actors, this means their attack surface area has been significantly increased, and it is now easier to influence insiders to make mistakes. To help combat this broader risk, organizations should remind employees that they are not in a secure shell where all the necessary protections are in place for them.

Education and training on security controls, such as the use of virtual private networks (VPNs), encrypting emails and the use of personal devices, can be a starting point to counteract the newly introduced factors of a remote work environment. This education can be achieved through a security awareness and training program that is flexible yet comprehensive to continuously test that employees take appropriate actions for their various environments and situations.

Building a Continuously Adapting, People-Centric Security Awareness and Training Program

In order to continuously adapt to the changing threat landscape, shifting environments and roles of people, an awareness and training program should include three things:

  1. Training by role(s) to protect against targeted attacks and to meet compliance requirements.
    • Employees could be more susceptible to attacks if the subject of a phishing email pertains to their finance or HR role, for instance. One training does not fit all roles.
    • Provide proper and comprehensive work from home security controls that best fit a remote working environment (corporate IT connected to home/remote environment), which employees can make good use of, rather than selecting out of the abundant, but not necessarily proven, security controls available on the internet.
  1. A management team prepared for real-world cyberattack scenarios in a security operations center (SOC) or corporate IT environment, so they are equipped to competently handle an urgent and challenging event.
  2. Enhanced security skills of the entire organization to counteract a cyber skills shortage in the workforce and special situations that arise.

When designing a security awareness and training program, it should be comprehensive, scalable and tailored to help mitigate organizational risk at any given time. A strong program can also prepare employees and help them properly use work from home tips and advice.

If you don’t have a security awareness and training program or have one that’s not working for you, use the following approach to build a sound one.

A sound security awareness and training program provides a complete, end-to-end and continuous adaptation to security awareness, which will prepare your workforce to protect the organization against targeted attacks and meet compliance in a changing environment.

To build the program, start by defining your program objectives, scope (targeted audience/people), and requirements and success factors (e.g., KPIs).

  • Objectives — Aside from getting the right visibility into your workforce’s security knowledge and awareness, this is where you should think about how a security awareness and training program will reduce risks in your organization and a business justification for your program.
  • Scope — You don’t have to start with a bang but eventually need to cover all of your workforce for specific topics at a minimum (e.g., phishing; everyone has and uses email). What are the high-risk areas and who works in those areas?
  • Requirements/success factors — This should be something you can handle in your organization. Don’t try to boil the ocean. Focus instead on specific threats that may reside in your organization.

Next, establish your leadership support, framework/plan, and artifacts and training guides.

  • Leadership support — You need to be able to sell the benefits. Remind leaders of what it is that they will get from the program — which may include business value, associated risks, time and money required to manage the risk — and that they are part of the risks, not just their teams.
  • Framework/plan — As mentioned above, the plan should be comprehensive, continuous and flexible.
  • Artifacts and training guides — You may use third-party content or develop custom content and guides to target specific audiences. The content absolutely matters. It should touch on changing behaviors and changing threats, and be convincing and enjoyable, too.

Then, assess your current state of knowledge about cybersecurity. You need to have a baseline and find the initial gaps to start with, which should help strengthen the plan and artifacts/training guides mentioned above as well.

The next step is deploying your program based on the established plan. This is where the real work begins. By the way, if you haven’t already figured out, you must have a dedicated team, whether you use your internal team or it’s outsourced. Without a dedicated team, the program will not be sustainable.

Finally, measure and manage your program based on the plan.

  • As the program is continuous and flexible, you will need to track and measure the effectiveness of your program via KPIs and feedback from your audience. Implement changes where needed based on the program reports. These changes may include actual attacks that happened, potential attacks identified from threat intelligence, and employees’ risk profiles depending on their roles and responsibilities.
  • Reports should provide the effectiveness of the program in terms of its objectives. Use reports not only for presenting to leadership but also to reduce overall organizational risks by leveraging your other security tools and processes, such as email security, security information and event management (SIEM) and data loss prevention (DLP) systems.

Businesses need to ensure they build security awareness and training programs that have a people-centric security focus, are flexible and that continuously adapt to changing environments. This will enable programs that continuously learn and measure their effectiveness to the organization, especially in the following cases:

  • Continuously assessing the employees’ awareness maturity on security topics and controls
  • Continuously assessing users’ phishing awareness and their susceptibility to real-world threats
  • Continuously reinforcing user behavioral action and response
  • Continuously refreshing and adapting online and offline training materials for reinforcement

With a sound security awareness and training program, your employees are better prepared to identify, protect and respond to phishing and social engineering attacks, reduce the risk of a security breach and help minimize the overall cost of security incidents.

Learn more about how IBM Security can help build a security awareness and training program for your organization.

Register for the webinar: Building a Security Awareness and Training Program for Your Organization

More from Security Services

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

How I Got Started: Offensive Security

3 min read - In the high-stakes world of cybersecurity, offensive security experts play a pivotal role in identifying and mitigating potential threats. These professionals, sometimes referred to as “ethical hackers”, use their skills to probe networks and systems in search of vulnerabilities, ultimately helping organizations fortify their digital defenses. In this exclusive Q&A, we spoke with a seasoned offensive security professional. Benjamin Netter is a cybersecurity expert and the founder and CEO of Riot, a cybersecurity platform created for employee protection. His goal is…

3 min read

Is Your Critical SaaS Data Secure?

4 min read - Increasingly sophisticated adversaries create a significant challenge as organizations increasingly use Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to deliver applications and services. This mesh of cloud-based applications and services creates new complexities for security teams. But attackers need only one success, while defenders need to succeed 100% of the time. Organizations are contending with an exponential rise in advanced threats that are not only increasing in volume but also sophistication. The IBM Cost of Data Breach Report 2022 found…

4 min read