Reducing Risk With Information Security Awareness Training

We live and operate in a world linked by electronic equipment, services, system and software and – for the vast majority of the time, they work pretty well and we can say without a doubt, they do not make mistakes. Occasionally systems may malfunction but that is generally down to an error in the way they were programmed or configured – by a human.

So it is with the cyber security threat landscape; security devices like firewalls, anti-malware, email filtering, etc. work pretty solidly in protecting organisations. The vast majority of breaches start off with an initial foothold via the manipulation of your users: also known as social engineering.

So what should you do?

When it comes to reducing the risk posed by user behaviours and social engineering, there is no one solution. Good logical controls, security practices and policies can reduce the impact of a user or device being compromised.

The final layer of protection is prevention via education: utilising information security awareness training to empower your users to spot suspicious behaviour and attempts to manipulate them.

Where to begin with information security awareness training?

There are a few key considerations when providing training to your users, including:

• The delivery method, such as in a classroom or via an online course.
• The frequency of training, such as monthly, weekly or annually.
• Assessment/testing methods – penetration testing, exams or phishing simulations.

▸ Frequency

Most information security standards recommend that employees receive a baseline level of security awareness training before being granted access to any systems or information.

In addition to baseline upfront training, Aspire recommends that your users received regular training – monthly or more frequently – to keep information security at the front of their minds.

A good information security awareness training platform will also provide contextual training that changes based on current affairs (such as covid) and the time of year (such as season topics such as Christmas) because attackers use similar techniques.

▸ Testing

The training of your employees is aimed at improving security awareness but to ensure it is effective and measure security awareness, it’s important to have a level of testing.

Many online awareness courses will complement the training content with a brief set of exam questions to ensure users have understood and processed the content.

In addition to the training exams, Aspire recommends companies also conduct regular phishing simulations. While not definitive, these will help identify users that repeatedly fall for simulated phishing emails and are therefore more likely to fall for ones sent by criminals. Such users can then be provided with additional training and – potentially – have their access locked down further.

Finally, the most robust testing method for an organisation is a penetration test. The scope of such tests can vary significantly but a full penetration test will mean many methods of social engineering are included such as phishing, physical access attempts, impersonation and phone-based social engineering (AKA vishing).

Summary

If you are interested in exploring regular information security awareness training for your employees, Aspire’s Human Risk Management service can be set up and tailored to your business to provide a “set and forget” training platform that automatically enrols new users, provides upfront training for new employees, assigns ongoing training through the year and provides tracking and reporting on training completion.

Additionally, we can arrange for phishing simulations to be provided to test the effectiveness of training and identify users who could do with extra support.

If you would prefer an initial round of in-person training, we can also provide tailored training to specific target groups (for example, senior managers) for maximum engagement.