employee security awareness training

How To Create A Winning Security Awareness Program

As phishing and malware attacks become more prevalent and sophisticated, midsize and large businesses must rely on employees to protect their data. But employees are busy. And security to them is often an afterthought.

If you’re serious about security — and you need to be — answering the right questions, following established guidelines and taking an unconventional approach to security can be a winning formula for mounting an effective defense.

While conducting security awareness training  might not seem worth the effort, a well-designed program can generate tremendous benefits.

Harnessing behavioral science, such programs use unconventional methods. Training posters may wind up in bathroom stalls, and tests may include baiting employees with phony phishing emails.

Strengthening The First Line Of Defense

Srinivas Vemula at the IT consulting firm SenecaGlobal has been advising clients on the importance of security awareness training for almost a decade. Although he has seen security awareness methods change over time, one thing has been constant: the need for a staff educated about security and the dangers of online threats.

“Security has always been one of those important topics that gets lost in other company priorities,” said Vemula, the company’s global product management lead. “Recent security breaches could have been prevented if the employees were aware of the current threats and topics. Many of your employees may not have the required knowledge to make informed decisions.”

Such shortfalls happen all too easily. After all, it’s only human to get caught up in one’s daily workload, relegating security to an afterthought, Vemula said.

Security Through Psychology

When trying to educate staff about security, unconventional methods of training may be the best course of action. Since security is generally considered to be boring, it’s important to follow a behavioral model of training in which a gentle nudging is applied. Having your employees get nudged to do the right thing is a significant trend in security awareness training, Vemula said.

One such method is to leverage software and/or network policies to offload some of the mental burden of having to remember security rules and practices. Using simple safeguards such as programming your systems to lock computers automatically, deploying software that blocks malicious links in an email or using a secure password management system can go a long way.

“A lot of these techniques don’t ask employees to follow any guidelines; the rules push the user to make the right decision and also decrease the number of decisions humans have to make,” Vemula said.

Those decisions, especially having to remember passwords, can be the bane of many users’ existence. Employees hate long passwords. They may hate having to change them even more. Vemula insists that when it comes to password management, a secure password manager that generates strong passwords and stores every password for each app or website works wonders.

If software isn’t for you, a phrase can serve much better as a “password” than a long string of alphanumeric characters.

“It takes a brute-force attacker exponentially longer to identify a phrase than hacking a particular word, even with numbers and characters,” Vemula said.

It Starts From The Top

Passwords aside, the most crucial ingredient to any security awareness program is buy-in from top-level executives. According to Vemula, a culture that incorporates an appreciation for security goes a long way toward employee engagement. Consequently, he encourages C-suite executives to assess risk and categorize threats before embarking on any awareness process.

One exercise that has yielded positive results is having executives get together and do a red team-blue team type of activity.

“It’s a game environment where one team says, ‘I’m going to do a DOS attack on the DNS server’ — and the other team needs to explain how they’ll defend against it,” he said. “These unconventional exercises will expose a company’s blind spots, and are a great part of any security awareness program.”

As 2018 looms, online threats are becoming more powerful and sophisticated. They are spreading faster and likely will be more costly to companies that are attacked. Every company, regardless of size, needs a plan to address what needs to be done if and when an attack occurs.

“There are lots of standard frameworks to get you started, as the government has done a good job in providing information,” Vemula said.

For example, the National Institute of Standards and Technology has a great framework with questions to ask and procedures to follow. Companies can use this framework to kick-start or improve their security programs, he said.

If you’re serious about security — and you need to be — answering the right questions, following established guidelines and taking an unconventional approach to security can be a winning formula for mounting an effective defense.

Are you a ‘cyberloafer’? Experts warn employees are spending over two hours a day slacking off online – and say it’s causing major security risks

  • 45% of employees questioned cited surfing the internet at work for personal purposes as the number one distraction at work

  • Research suggests employees each waste an average of 2.09 hours a day

  • Those who scored higher for internet addiction behaviour were also much more likely to have poorer awareness of and follow safety protocols


View comments

The biggest threat to an organisation’s cyber-security comes from within, according to a growing body of evidence.

Employees are frequently putting their companies at risk of hacking by sharing their passwords, using public WiFi networks to send sensitive information, or not protecting the privacy of social media accounts.

But there’s another threat that at first seems innocuous and that we’re all probably guilty of, something that researchers have dubbed ‘cyberloafing’.

A DeMontford University says that the rise of ‘cyberloafing’ is causing major security issues for firms as those who are browsing personal site are less likely to follow corporate security rules.


Early estimates from the new study suggested that 45% of employees questioned cited surfing the internet at work for personal purposes as the number one distraction at work.

This can have a big impact on a company’s productivity, with research suggesting that employees each waste an average of 2.09 hours a day while cyberloafing.

My research group’s new study shows this practice of using work computers for personal internet browsing can become a serious security threat to a company when it goes too far.

Most companies accept that their employees will occasionally check social media or send personal emails from work computers. But in some cases things can get more serious, with people people spending significant amounts of time updating their own websites, watching videos or even pornography.

Early estimates suggested that 45% of employees questioned cited surfing the internet at work for personal purposes as the number one distraction at work.

This can have a big impact on a company’s productivity, with research suggesting that employees each waste an average of 2.09 hours a day while cyberloafing.

But our new study also shows that the more employees engage in serious cyberloafing, the less likely they are to follow the rules and protocols designed to protect the company’s IT systems, and the bigger threat they become to cyber-security.

We asked 338 part-time and full-time workers aged 26-65 about their cyberloafing habits, their knowledge of information security, and behaviour that could indicate internet addiction.

Those who cyberloafed more often knew less about information security. And those who engaged in more serious cyberloafing (such as updating personal websites, visiting dating websites or downloading illegal files) had significantly poorer cyber-security awareness.

Typically, people undertaking more serious cyberloafing were less aware of how to stay safe online and how to protect sensitive information. One reason for this could be that they are so determined to get online they don’t want to pay attention to information about online safety and ignore the risks. On they other hand, they may believe their companies can protect themselves from anything that might happen as a result of risky behaviour.

Those in our survey who scored higher for internet addiction behaviour were also much more likely to have poorer awareness of and follow safety protocols.

And those who were serious cyberloafers and potential internet addicts were the greatest risk of all.

As I explain in my recent book Cybercognition, internet addiction is a compulsion to get online, sometimes with the aim of fuelling other addictions to digital activities such as online gambling or shopping. Critically, the drive to get online can be the same as any physical addiction, so the internet acts like a drug for some people.

In the study those who scored higher for internet addiction behaviour were also much more likely to have poorer awareness of and follow safety protocols.

This means people who show aspects of internet addiction may be more determined to get online at any costs and more likely to try to get around security protocols or ignore advice about online safety.

They may think they know better because they spend so much time online. Or they may not fully understand the risks because they are so absorbed in the online world.

All of this doesn’t mean we should cut off all internet access for employees. Being able to surf the internet is an important part of some people’s work. But excessive use of internet services and work IT systems can put companies at risk, particularly when people are accessing risky websites or downloading programmes from unknown sources.


There are a number of things companies can do to help mitigate the risks from excessive cyberloafing.

As we suggest in our study’s conclusion, some organisations may apply very strict penalties for serious rule breaking.

But providing effective training that empowers employees to identify aspects of internet abuse and seek help could be a more effective management tool.

Helping workers understand the risks of their actions might be more beneficial, particularly where these are communicated through focus groups and talks.

But one thing companies should avoid (and all too often don’t) is simply sending out an email reminder. Research shows that messages about the potential risks to information security sent via email are the least effective. And if you’re deep into a cyberloafing session, an email will be just another corporate message lost in an overloaded inbox.

Why Phishing Alone is Not Enough Awareness Training

Over the last several years, phishing simulations have become seen as the equivalent to security awareness training. The result is many organizations are only providing phishing simulation to their employees, and not security awareness training. This trend is a dangerous one, one that may actually lead to greater insecurity.

Why? Organizations are now focusing on only the single threat vector of phishing, admittedly a very serious one, but still one of many.

Cyber-criminals aren’t oblivious to this trend either. They know that leaves the door open for many other types of attacks, or exploitation of vulnerabilities, such as posting of sensitive data to the cloud, mobile device loss or theft, vulnerabilities in IoT-connected devices, social networking over-sharing and over-trusting, and the list goes on and on.

I’ve even heard one security vendor say that you only should do phishing simulation and training on one or two other topics, because that is all employees will remember. That’s good news for cyber-criminals because it leaves other doors open to them.

Why Phishing Simulations aren’t enoughA phishing simulation sends simulated, safe phishing messages to employees, then tracks who falls victim to the simulation. The goal is to help employees learn to identify phishing attacks, and to avoid clicking on phishing links, opening attachments, or falling for other phishing attacks like picking up a “lost” Flash drive and inserting it into their computer.

If an employee falls for a simulation attack, a well-designed phishing simulation service will direct the employee to targeted training related to that attack. All worthy goals. Phishing, no doubt, is one of the big threats today, and phishing simulation can be a pillar in a strong security awareness program.

Phishing simulations pale in comparison to robust security awareness training: a phishing simulation is targeted training for a single type of threat and is limited in what it can do; it makes assumptions that if employees don’t fall for the attack, they understand the risks. For those that do fall for the attack, it counts on a simple training message being enough for them to learn.

Furthermore, many organizations also face their most serious threats in areas that phishing doesn’t even address. For example, a primary concern of healthcare entities is the exposure of Protected Health Information (PHI). However, many PHI data breaches are the result of lost mobile devices, data posted to the cloud, or improper access. None of those are a result of phishing.

Training: A Negative or Positive ApproachPhishing simulations are often perceived by the targeted staff as a form of entrapment, with negative consequences if an employee falls for the trap. The tricked employee knows they failed the test and their failure will be reported to management. Adding insult to injury, the just-in-time training may feel more like a punishment, leading to resentment of training. Learning rarely accompanies resentment. Furthermore, once employees leave work and are no longer monitored, there is no incentive for behavior change.

Effective security awareness training is the opposite. Employees are drawn in to learn, and training is presented in a structure that both ensures participation and real learning. Training is fun, relevant and useful for employees both at work and home.

The need for effective security awareness training greater than everPhishing simulations are not a remedy for all problems and will not fix employees’ risky behaviors alone. According to Gartner in their report Innovative Insight for Anti-Phishing Behavior Management: “Anti-phishing behavior management solutions are not a tool for initiating cultural change. Assess your organizational culture first, and deploy anti-phishing as part of a comprehensive program of security behavior management and education.”

Effective security awareness training trains employees on the breadth of the threats they face daily, as well as the choices they must make, and the risks of their own insecure behavior. The key word here is “effective”. Too many organizations have turned from security awareness training to the quick fix of phishing simulation because they feel training failed to achieve the promise of changing behavior. Most often the failure lies in the specific program.

To be truly effective and change behavior, security awareness training must be as much about eLearning as it is security. First, present security in a way people can learn. Make training brief and frequent. Long-training sessions overwhelm trainees, going in one ear and out the other.

Likewise, sessions presented infrequently fail to reinforce learning. Brief and frequent training is something that effective security awareness training and phishing simulation programs can share in common, but the similarities end there.

Effective security awareness training also captures the employees’ interest and is engaging. Based on eLearning principles, training is designed around how people learn. Interactive training and gamification go a long way towards meeting these objectives. The result is people want to learn.

The Ideal SolutionThe need for effective security awareness training clearly is greater than ever due to the ever-increasing data breaches, security incidents, and constant introduction of new technologies and services. Phishing simulation can be a valuable tool in your security awareness platform, but it should always be seen as a supporting element.

Along with other supporting services like awareness materials and policy tracking. When implementing a phishing simulation service, you need to adopt as many eLearning principles as possible. Most importantly, make effective security awareness training the foundation of your security awareness program. This will truly drive behavior change and create a culture of security.

'If you don't rank, you don't pay'
Link Exchange | Products And Prices
The list of link building products and prices currently offerd at LinkMarket.Net.

Leave a Reply

Your email address will not be published. Required fields are marked *