Does Your Security Awareness and Training Program Account for Changing Work Environments?

May 8, 2020
| |
4 min read

As businesses transition to remote work and many employees adjust to working from home, organizations need to stay focused on people-centric security. People-centric security places the employee in the center of security measures and is designed to reduce the risk of human error. As bad actors transition away from malware-based attacks to more targeted, social engineering-based attacks that reach insiders directly, it is increasingly critical that organizations understand and address the risk of human error on the job.

When designing and building an effective security awareness and training program, the people element is inherently the focus. A shift to remote working demands security awareness and training programs quickly pinpoint an active people-centric strategy to address the needs of changing environments and user populations with different objectives, triggers and learning styles.

The deviation to remote working means organizations are opening up or extending their traditional corporate boundaries to home networks. To threat actors, this means their attack surface area has been significantly increased, and it is now easier to influence insiders to make mistakes. To help combat this broader risk, organizations should remind employees that they are not in a secure shell where all the necessary protections are in place for them.

Education and training on security controls, such as the use of virtual private networks (VPNs), encrypting emails and the use of personal devices, can be a starting point to counteract the newly introduced factors of a remote work environment. This education can be achieved through a security awareness and training program that is flexible yet comprehensive to continuously test that employees take appropriate actions for their various environments and situations.

Building a Continuously Adapting, People-Centric Security Awareness and Training Program

In order to continuously adapt to the changing threat landscape, shifting environments and roles of people, an awareness and training program should include three things:

  1. Training by role(s) to protect against targeted attacks and to meet compliance requirements.
    • Employees could be more susceptible to attacks if the subject of a phishing email pertains to their finance or HR role, for instance. One training does not fit all roles.
    • Provide proper and comprehensive work from home security controls that best fit a remote working environment (corporate IT connected to home/remote environment), which employees can make good use of, rather than selecting out of the abundant, but not necessarily proven, security controls available on the internet.
  1. A management team prepared for real-world cyberattack scenarios in a security operations center (SOC) or corporate IT environment, so they are equipped to competently handle an urgent and challenging event.
  2. Enhanced security skills of the entire organization to counteract a cyber skills shortage in the workforce and special situations that arise.

When designing a security awareness and training program, it should be comprehensive, scalable and tailored to help mitigate organizational risk at any given time. A strong program can also prepare employees and help them properly use work from home tips and advice.

If you don’t have a security awareness and training program or have one that’s not working for you, use the following approach to build a sound one.

A sound security awareness and training program provides a complete, end-to-end and continuous adaptation to security awareness, which will prepare your workforce to protect the organization against targeted attacks and meet compliance in a changing environment.

To build the program, start by defining your program objectives, scope (targeted audience/people), and requirements and success factors (e.g., KPIs).

  • Objectives — Aside from getting the right visibility into your workforce’s security knowledge and awareness, this is where you should think about how a security awareness and training program will reduce risks in your organization and a business justification for your program.
  • Scope — You don’t have to start with a bang but eventually need to cover all of your workforce for specific topics at a minimum (e.g., phishing; everyone has and uses email). What are the high-risk areas and who works in those areas?
  • Requirements/success factors — This should be something you can handle in your organization. Don’t try to boil the ocean. Focus instead on specific threats that may reside in your organization.

Next, establish your leadership support, framework/plan, and artifacts and training guides.

  • Leadership support — You need to be able to sell the benefits. Remind leaders of what it is that they will get from the program — which may include business value, associated risks, time and money required to manage the risk — and that they are part of the risks, not just their teams.
  • Framework/plan — As mentioned above, the plan should be comprehensive, continuous and flexible.
  • Artifacts and training guides — You may use third-party content or develop custom content and guides to target specific audiences. The content absolutely matters. It should touch on changing behaviors and changing threats, and be convincing and enjoyable, too.

Then, assess your current state of knowledge about cybersecurity. You need to have a baseline and find the initial gaps to start with, which should help strengthen the plan and artifacts/training guides mentioned above as well.

The next step is deploying your program based on the established plan. This is where the real work begins. By the way, if you haven’t already figured out, you must have a dedicated team, whether you use your internal team or it’s outsourced. Without a dedicated team, the program will not be sustainable.

Finally, measure and manage your program based on the plan.

  • As the program is continuous and flexible, you will need to track and measure the effectiveness of your program via KPIs and feedback from your audience. Implement changes where needed based on the program reports. These changes may include actual attacks that happened, potential attacks identified from threat intelligence, and employees’ risk profiles depending on their roles and responsibilities.
  • Reports should provide the effectiveness of the program in terms of its objectives. Use reports not only for presenting to leadership but also to reduce overall organizational risks by leveraging your other security tools and processes, such as email security, security information and event management (SIEM) and data loss prevention (DLP) systems.

Businesses need to ensure they build security awareness and training programs that have a people-centric security focus, are flexible and that continuously adapt to changing environments. This will enable programs that continuously learn and measure their effectiveness to the organization, especially in the following cases:

  • Continuously assessing the employees’ awareness maturity on security topics and controls
  • Continuously assessing users’ phishing awareness and their susceptibility to real-world threats
  • Continuously reinforcing user behavioral action and response
  • Continuously refreshing and adapting online and offline training materials for reinforcement

With a sound security awareness and training program, your employees are better prepared to identify, protect and respond to phishing and social engineering attacks, reduce the risk of a security breach and help minimize the overall cost of security incidents.

Learn more about how IBM Security can help build a security awareness and training program for your organization.

Register for the webinar: Building a Security Awareness and Training Program for Your Organization

Charles Chang
Associate Partner, IBM Security

Charles is currently the global leader of IT Risk Management and Compliance Competency in the IBM Security Services Global Center of Competencies (CoC). The ...
read more