What does a security awareness training program need to include?

An effective security awareness training program can make a significant difference in enterprises security. Expert Mike O. Villegas discusses what makes a good program.

Mike O. Villegas, K3DES LLC

A recent report from Ponemon Institute and Wombat Security Technologies found an alarming number of phishing attacks...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

in enterprises. The report also found that after employees went through a security awareness training program, the number of phishing attacks significantly decreased. What types of information or advice would be effective in a security awareness training session? And what other threats besides phishing attacks should the training focus on?

Ignorance is not a control. As much as people may want to ignore security risks and vulnerabilities, they still exist. A security awareness training program is critical to ensure that employees at all skill levels understand basic security principles to minimize the risk of a breach, fraud or costly mistakes.

The report issued by the Ponemon Institute stated that employees going through a security awareness training program significantly reduces the number of security related incidents, such as phishing attacks.

An effective security awareness training program needs to be:

Informational: Stress the basics, like password controls, phishing emails, suspicious websites and downloads, privacy, physical security and more.
All-inclusive: All employees should go through and acknowledge in writing -- electronic or manual -- that they have undergone annual training and new employee orientation training on information security.
Relevant: Show the significance of not complying with security. Emphasize the risks to the organization, personal identity theft, disciplinary action and possible termination.
Fun: Use animated characters, puzzles, newsletters, contests for correct answers, free cybersecurity videos, cybersecurity posters and more.
Attention-getting: Send fake phishing emails to employees and post results. After being a victim once, they will be much more vigilant going forward.
Not overdone: Security awareness should be integrated in the business culture but with moderation. Schedule event weekly, monthly, quarterly and annual events but keep it light.

In addition to these qualities, ensure that management is familiar with and supportive of the security awareness training program. At least annually, have the CEO record a video or issue a communication for all employees where she stresses the importance of information security and the protection of critical information of its customers, stakeholders and employees. Lastly, make sure you have fun.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Discover how follow-on training can improve security awareness

Learn how user behavior analytics compares to security awareness training

Find out if a security pledge could replace awareness training programs

This was last published in June 2016

Dig Deeper on Security Awareness Training and Internal Threats-Information

Mike O. Villegas asks:

What do you think makes a security awareness program successful?

Join the Discussion

Related Q&A from Mike O. Villegas

What should be included in a social media security policy?

A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading

What are the possible benefits of a cybersecurity training center?

A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading

Should a forced password reset be standard after a data breach?

Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading

SearchCloudSecurity

Prevent cloud account hijacking with 3 key strategies

The ability to identify the various methods of cloud account hijacking is key to prevention. Explore three ways to limit ...

Security for SaaS applications starts with collaboration

Following established best practices helps enterprises facilitate collaboration and communication through SaaS applications while...

An inside look at the CCSP cloud security cert

Get insights into the Certified Cloud Security Professional cert, cloud infrastructure and platform benefits and risks, and more ...

SearchNetworking

How to secure remote access for WFH employees

The global pandemic caused mayhem on network security environments. Enterprises need to bring rigor back to their systems and ...

What's involved in VPN maintenance and management?

Before an organization's VPN is up and running, IT teams must address four important aspects of VPN maintenance and management to...

The pros and cons of 5G networks

Enterprises are evaluating 5G and its effect on their operations. Before they can start reaping the benefits from the standard, ...

SearchCIO

Enterprise architect job still requires IT in critical role

Jeanne Ross offers advice to existing and aspiring enterprise architects and discusses the latest trends as she reflects on 26 ...

Holy Grail still elusive in enterprise architecture strategy

MIT's Jeanne Ross discusses why enterprise architecture projects succeed and fail and what companies can do to better align ...

Ensuring your cybersecurity teams are helping the business

Business leaders need to review how they're handling cybersecurity oversight. Are leaders asking the right questions and ...

SearchEnterpriseDesktop

Evaluate if Chromebooks are secure enough for business use

Chromebooks are cost-effective endpoints that strip away desktop features for a simple desktop experience. Admins should evaluate...

Set up Windows Remote Desktop on a Mac device

Organizations that need to enable remote workers on Mac devices should consider allowing them to remotely access Windows desktops...

Microsoft Endpoint Manager gets better Mac, iPad management

Microsoft Endpoint Manager will eventually have new tools for securing and managing Macs, iPads and virtual endpoints. A more ...

SearchCloudComputing

The cloud shared responsibility model for IaaS, PaaS and SaaS

The shared responsibility model defines cloud security, but it changes for IaaS, PaaS and SaaS. Get to know the ins and outs of ...

Microsoft's Azure Arc reaches GA milestone

Microsoft has delivered a key component of Azure Arc -- the ability to manage Windows and Linux-based virtual and physical ...

Top 6 complexity challenges of operating a cloud at scale

It's not unusual for enterprises to scale their applications to meet demand, but they need to be aware of the associated cloud ...

ComputerWeekly.com

SSE Enterprise Telecoms makes further investment in UK business connectivity, 5G

UK telco unbundles further 259 BT exchanges by the end of 2021 to significantly grow network, bringing total unbundled exchanges ...

Forensic expert questions US claims that Julian Assange conspired to crack military password

Forensic computer expert Patrick Eller told the Old Bailey that US allegations that WikiLeaks founder Julian Assange attempted to...

Government remains in orbit to develop UK sat nav

Despite experts’ doubts, government confirms it will continue to look at a wider range of options for a sovereign satellite ...

Join the conversation

8 comments

Send me notifications when other members comment.

Oldest

[-]

Mike Villegas - 1 Jun 2016 5:00 AM

What do you think makes a security awareness program successful?

mcorum - 13 Jun 2016 8:20 AM

One training approach from martial arts says “train like you fight, fight like you train.” Along those lines, an effective security awareness program can only be successful if it trains employees like it expects them, to fight - by providing simulated situations that are representative of the real world. It’s also important to remember that the key to security awareness is awareness, so work on helping employees stay aware of security threats.

lattimm - 25 Aug 2016 6:03 PM

In order to obtain the maximum "buy"-in" from the trainees, the training course should also appeal to the "What's In It for Me" motivation and includes elements of enhancing the participants personal security posture.

Including information on home computer security and protecting personal information will help to make the user safer at home, consequently safer at work.

abuell - 1 Jun 2016 1:36 PM

I agree, all employees should be exposed to security awareness training. But ideally the training should also be tailored to employees who are going to be all over the place in terms of their technical knowledge. There should be follow up to ensure that the training is understood by all.

MikeOVillegas - 4 Jun 2016 2:50 PM

I agree. Specialized training in addition to just security awareness is essential. Example, customer service personnel should be trained on what they can or cannot say to a customer on the other end of the line regarding security and privacy. Developers should be trained on secure coding standards so they know how to develop secure code. Security administrators need to be trained on how to provision Users and groups with appropriate access. And the list continues. The point of the article is to emphasize everyone's need for some type of security awareness training. Experience has shown many times employees are exposed to security training during employee orientation and never hear about it again for years until audited or the company has experienced a breach. Thank you very much for your comment. That is the point well taken.

kb1000 - 12 Jun 2016 2:32 AM

One thing you should consider adding to the article is the security threats associated with BYOD. I don’t think most users understand the security risks that their personal devices add to the corporate network. This includes the obvious malware threats from attachments but could also Wi-Fi access to the corporate network.

mcorum - 13 Jun 2016 8:14 AM

It also needs to include or simulate real-life examples. Otherwise, you run the risk of the employees not making the link between the training they receive and their daily tasks. For example, we use a service that sends simulated phishing emails throughout the company which serve two purposes. First, it get’s the employees used to reporting suspected phishing emails. Second, if they click on the links in the email, it provides an opportunity to provide training and feedback in a realistic scenario without the risk.

TomPendergast - 5 Aug 2016 7:25 PM

Nice article, and I think you're right on with keeping it frequent, light, and engaging. I'm all for placing employees in safe situations that emulate the real world and let them practice good behaviors in a game-like environment.

10 tips for cybersecurity awareness programs in uncertain times

Words to go: Types of phishing scams

Coronavirus phishing scams increase amid pandemic's spread

Beat common types of cyberfraud with security awareness

Please create a username to comment.