Security Awareness Training and why your Business needs it
A human firewall
Technology still has an important role to play in securing your network. The need for firewalls, antivirus, and good passwords is not going away. However, all this technology becomes useless if poorly informed users click a link in a fake email, and enter their password into a fake site, giving the criminals access to your systems. It is easier these days to fool users into giving their passwords away than it is to actually hack the computer system.
Security awareness training is the process of educating your users about the threats and scams that they will face, and how to recognise and avoid them. This should include training on your corporate policies, password policy, staying safe online and more.
Research has shown that the majority of data and security breaches stem from human error. That means your company is potentially just one click away from disaster. You already protect your PCs, laptops and servers from attack with antivirus software, why should your users be any different?
With large organisations like eBay, Yahoo, the NHS and even NASA being targeted, it’s easy to think that it will never happen to you; but with almost half of all cyber-attacks targeting small businesses, there is a high probability that it will.
Data breaches can be extremely costly with clean-up costs, downtime, lost business, compensation for clients whose data is stolen, and damage to your reputation. Ransomware can be particularly costly, encrypting your files and only decrypting them after large sums of money have been paid.
Security awareness training aims to help your users understand the risks the internet can pose and helps them identify red flags online. Cyber criminals are becoming very sophisticated, using tactics including CEO Fraud, Social Engineering, Drive-by Downloads, Spear Phishing and many more. It’s crucial for users understand the various dangers they will need to deal with.
First Stop IT have teamed up with KnowBe4 to bring you in-depth training to help your users keep your business safe.
How it works
Research has demonstrated that regular security awareness training, together with other steps to reinforce good behaviour is much better at raising awareness and changing behaviour than annual group training sessions, which tend to be quickly forgotten.
The First Stop in our security awareness programme is to understand where your biggest risks are, and who is in most need of training. To do this, we send a series of carefully crafted fake phishing emails. These emails are completely harmless and are used in order to see which threats your company are vulnerable to, and which people are most in need of educating.
Once this is complete, we send out a short video to all your employees introducing them to the training programme, explaining what it’s for, and how it’s going to help keep your company safe. Following this the first security awareness training video is sent. This video is the longest in the programme at around 25 minutes and summarises the various threats affecting your employees today.
We will then install a ‘Phish Alert’ button in Outlook. Whenever someone receives an email, they believe to be suspicious, they can click the button to report it. They will be rewarded for this action by a message thanking them for being diligent and reporting the suspicious message. Whilst it may not seem much, this act of positive reinforcement helps to keep people diligently looking for suspicious messages, reducing the chance of someone accidentally clicking on a dodgy link.
The programme continues with monthly training videos and online games that can be tailored to your company and customised for your various teams. We will continue to send fake phishing emails of varying difficulty, some easy to spot, some very realistic indeed. Your users will learn to always be vigilant about potential threats and implement the skills they have learned through the training to become your ‘human firewall’.
Benefits to your company
It goes without saying that educating your users to identify the threats of phishing emails and other online scams can greatly improve the security of your company. But if you needed more reasons, here are a few:
- Protect yourself from fines, even if you do get attacked. Being hit with a security breach can leave your reputation in tatters, and risks incur heavy fines. Whilst the training will reduce the chance of this happening, it will also stand you in good stead if you do get attacked. The ICO considers user training to be a pillar of good security practice, and by doing this, you will help protect yourself from regulatory fines.
- Improve morale, and help people in their home life too. Many people are not confident staying secure online and this is a discreet way to help your employees avoid becoming victims of scams personally.
- Comply with regulatory standards. Many industries now require their suppliers to comply with standard like Cyber Essentials or ISO27001. If this applies to you, security awareness training is likely to make up part of your compliance activity.
- Obtain cyber-insurance. If you have cyber insurance, or want to get it, you are likely to find that user training is required in order to comply with the terms of the insurance, or to obtain good rates.
- The peace of mind knowing that your users are prepared and knowledgeable about the threats to your company. You may be well informed, technically literate, and have a great understanding of the threats. Why not make sure that everyone in your business is as savvy as you are.
If you are interested in using Security Awareness Training to improve your business security, why not give one of our experienced consultants a call?