Pitfalls To Avoid With Your Security Awareness Training (SAT) Program

If you’re tasked with securing your organization, your employees are usually one of the first priorities. Malicious actors know that employees are often an easy way to break into a company and many of the most common types of attacks target employees. These can include:

• Phishing: Spam emails that try to get an employee to click and download a malicious link or enter their credentials on a site impersonating a legitimate log-in page.
• Business Email Compromise (BEC): Hackers will send an invoice or a similar kind of email to a key employee who would be able to initiate a wire transfer. It’s an easy way for hackers to siphon cash from a business.
• Brute Force/Account Takeover: If your employees use weak passwords or aren’t careful with their accounts, a bad actor may be able to find their way into an account, compromising your organization.
• Social engineering: These can include impersonations of IT, HR, or finance where employees are asked to give up sensitive files or information that can damage an organization.

Many of these attacks have surged dramatically since the pandemic. The Anti-Phishing Working Group (APWG) reported that June 2021 saw over 200K phishing attacks, the third-worst month since they began tracking, carrying a trend of a record number of attacks in the first half of 2021.

Ransomware is also on the rise in a major way, with the banking industry seeing a 1300%+ increase in ransomware attacks in 2021.

While there are risk mitigation tools and processes that can prevent and reduce the risk of attacks, employing a security awareness training (SAT) program can be an extremely effective way to ensure your employees aren’t a risk vector due to their lack of knowledge. However there are a number of pitfalls you should avoid to ensure the program is as effective as possible.

Here’s a list to keep in mind.

Pitfall #1 - Running Security Awareness Training Once A Year (or just during onboarding)

Many security awareness or cyber awareness training programs are conducted either once a year or done during onboarding. However, this runs into a number of issues.

Security awareness training programs aren’t updated

If you’re using the same SAT program you used three years ago or even farther than that, you’re probably using outdated information and may not even be addressing common or critical risks your employee is likely to face.

Your SAT provider should be updating their program constantly and you need to validate that the security training is updated and offering up-to-date solutions to potential threats or vulnerabilities.

Security training is not a priority for new employees

During the onboarding process, employees aren’t thinking “how can I keep the company safe?”, it’s “how can I do my job?” Security and cyber awareness training just isn’t a priority for a new employee — depending on how inconvenient it is, the training may just go in one ear and out the other, largely erasing any security benefits the SAT program is designed to provide.

Pitfall #2 - Not testing or following up with simulated tests

Security awareness training should be an ongoing effort as long as it’s reasonable. Realistically, you don’t want to take up all your employees’ time training them on how to be secure. But having employees pass a test or a one-time training program is too point in time and doesn’t apply any real-world scenarios.

Many SAT program providers also provide simulations or tests in the form of phishing or social engineering tests. This will help you see whether your employees in key departments know what to do in the face of a potential spam, phishing, or BEC email attack.

Not only is it important to know that they won’t mindlessly click on or download any attachment. They should also be alerting you and flagging the email. Real-world tests and simulations allow you to spot employees or departments who may not be prepared. This isn’t an opportunity to shame or publicly denounce the individual or department, it’s just a way to prioritize who needs additional training and follow-ups.

Pitfall #3 - Having a standardized SAT for all employees

Not all employees carry the same risk and your security training should reflect that. Some key employees include:

• Those with access to sensitive assets, accounts, or parts of your network that can cause significant damage if infiltrated or exposed.
• VIP/Executive-level employees who can accidentally leak sensitive info, details about future plans, or valuable IP if their accounts are compromised
• The finance department who, if compromised, can lead to financial losses or the HR department who usually keeps all the personal data of your company’s workforce.

As you build out your security awareness training programs, you should consider these different types of risk and priorities. A starting point could be:

• Baseline SAT: This is the minimum amount of security training that all employees should have.
• Critical Departments: This is tailored by departments and accounts for the kinds of compromises your organization may suffer if one of these departments are targeted. Key departments can include: engineering & development, HR, finance, legal.
• VAP (Very Attacked People): This refers to specific individuals who may be most targeted by attackers, either due to their high profile and unique access to specific data or because they are one of few people who can deliver a specific payload to a hacker (for example, this could be the person to approve invoices). Keeping them in mind and providing VAP-specific training is essential.

Establishing a robust Security Awareness Training program

Having a strong and effective Security Awareness Training program is a process and will take some time. There are some fundamental and basic steps to take and you should look for opportunities to further build out the program in order to truly educate your employees. Here’s a sample timeline for having a strong SAT program.

• Establish an SAT program accessible to all employees, new and old. This will provide a baseline of education and training and will ensure your employees are at least aware of the risks.
• Keep an annual SAT program. As part of this step, you should also validate the program and ensure it’s up to date and addresses the attacks your employees are likely to face.
• Identify VAP (very attacked persons). You want to do this sooner than later because by definition, these individuals are more susceptible to attacks and because the risk to your organization is higher if the employee is compromised. This means deploying very specific training material as well as establishing processes to follow in case of an attack or compromise.
• Follow up with real-world simulations. You’ll be able to spot laggards in your environment who may accidentally be exposing your organization to risk or are more susceptible to attacks.
• Identify key departments that require specific training. This can be as simple as including an addendum to the annual training that only a few departments sees. However, the more tailored to the department, the more effective it will likely be.
• Have supplemental or advanced security and cyber awareness training programs. You can use this for the individuals or departments that fail to pass any simulations or tests and you can also provide this as a voluntary benefit for those who want to educate themselves further (depending on budget, you can provide a reward for those willing to undergo more training).

Make sure SAT is complimenting your other security efforts

Empowering employees with knowledge to spot and raise the alarm in case of an attack is important but your responsibility doesn’t end there.

Ensuring you have foundational prevention, detection, and response capabilities (via tools, vendors, partners, etc) is a part of a strong overall security posture. In case of a compromise, these kinds of tools, coupled with knowledgeable employees will help you recover faster while identifying what went wrong so it doesn’t happen again.

Be sure to disprove these cyber security myths in your SAT training.