So, you’ve finally got budget approval for your security, the downside is it is less than you wanted. Where do you spend it? What can you do to minimize your company’s exposure to attack while at the same time conserving as much budget as possible?
I’d like to offer practical and actionable advice. For over 24 years, my company has been providing security services to organizations around the globe. For that same amount of time, we’ve been giving the same advice to companies that were looking for a place to start and those that were looking for additional security measures that would reduce their risk.
Tried and True
The advice we give to all organizations is that every security plan should contain Information Security Awareness Training (also referred to as InfoSec Awareness).
InfoSec Awareness is essential for anyone that operates a keyboard or mouse in your company. It is an accumulation of security lessons that positively affect the learner and help them to understand the threats that all companies, large or small, face on a daily basis and reinforces how to defend against them.
Its purpose is to heighten awareness on the many ways a company can be compromised and how everyone can contribute to prevent their company from becoming a statistic. A comprehensive InfoSec Awareness course will cover all your bases.
Comprehensive
Many lessons only focus on ransomware or phishing and rarely much more. As important as those two topics are, InfoSec Awareness should be much more. When it comes to your organization’s security, there are several more topics of concern that should be discussed and learned. The goal is to help the learner understand how many possible dangers there are to the organization and themselves, and how their actions can impact the company, both positively and negatively.
Too many people focus on only one or two topics, when in fact a determined hacker will use several different techniques to achieve their cybercrime.
Some of the lessons that should be included are.
- Setting the Foundations for Security
- Phishing
- Malware
- Ransomware
- Spyware
- Identity Theft
- Social Engineering
- Password Selection
- Acceptable Use
- Physical Security
- Working Remotely
- BEC “Business Email Compromise”
- Spear Phishing
- Web-Browsing
- Mobile Attacks
- Social Networking
- BYOD (Bring Your Own Device)
- Artificial Intelligence (AI)
If you feel like this is overkill, you are not alone. Many organizations responses or excuses for not considering InfoSec Awareness are the same.
Their Comments Are
- I can’t ask my employees to take too much security training, they would push back.
- I don’t think training is effective.
- It’s too expensive.
- I won’t know if anyone will take the lessons.
Our Responses Are
-
It’s odd how you would expect that someone who works in construction or in a factory would be put through a training or safety course before working, yet so many don’t look at InfoSec Awareness in the same light. The employee is using a corporate asset or their own computer that could bring harm to themselves or the organization if they don’t have basic security training. The lessons they learn will keep everyone safe. NOTE: Recently, many organizations are making InfoSec Awareness training mandatory, and many cyber insurance companies are pushing for it.
-
Many believe that InfoSec Awareness is not effective, yet the statistics say otherwise. In a recent study, 80% of organizations said that security awareness training had reduced their staffs' susceptibility to phishing attacks. That reduction doesn't happen overnight, but it can happen fast — with regular training being shown to reduce risk from 60% to 10% within the first 12 months.
-
InfoSec Awareness training may be the least expensive and most effective security control you can implement. It costs, in most cases pennies a day per user. A breach will cost you much more in downtime, cost of recovery and reputational damage!
-
Knowing whether a staff member has taken a lesson that your company paid for can be verified by using a LMS “learning management system” that will tell you with certainty if a staff member took the training and how well they did or did not do!
In Conclusion
To wrap up my thoughts, lets just say this - there is no excuse for not providing your staff with the means to defend YOUR organization. It is affordable, it is effective, and it might just save your corporate bacon.
Ask us how much a training strategy will cost your organization, I’m sure you will be pleasantly surprised.