Security Awareness Training
of all data breaches are
caused by human error
The 2021 Verizon DBIR identified the human element as the key cause of breaches, with 85% of all breaches related to errors by people. Your security awareness program is the most important cybersecurity tool in your arsenal for preventing cyber security incidents.
Unfortunately, all too often, security awareness training isn’t taken by employees or understood. With boring and irrelevant content, low-quality graphics and click-through drudgery, even if training is taken, it's quickly forgotten. Organizations are left vulnerable to employee mistakes and cyber attacks. So how can you help your employees to be cyber secure and make your security awareness program a success?
Rely on Security Mentor, we do things differently. We focus equally on cybersecurity and the learner.
Security Awareness Training Model
Your staff are busy, short on time, and focused on doing their work, not on cyber security. How can you ensure your employees learn the critical cybersecurity skills they need to be cyber safe and still stay productive?
Our pioneering Brief, Frequent, and Focused™ training model is the trifecta that you need.
Brief
Ten-minute security awareness training lessons fit busy work schedules.
Frequent
Monthly security awareness training keeps cyber security top of mind.
Focused
Single-topic cyber awareness lessons are easy to learn and remember.
Cyber Awareness Training
That Stands Above the Rest
For cyber awareness training to be effective, for behavior to change, people must want to learn. That's why Security Mentor puts equal emphasis on learning and cybersecurity. Our hand-crafted security awareness training lessons are designed to be compelling, relevant, and impactful, ensuring real behavior and culture change.
Interactive & Engaging. Who says security awareness can’t be fun? We use serious games and innovative interactions to teach employees critical cyber security skills. Employees actually take part in cyber awareness training, learning by doing. Fun lessons, rich with high quality graphics, engage users, increasing participation, understanding, and retention.
Relevant & Useful. Our robust cyber awareness training is written by Certified Information Systems Security Professionals (CISSPs). But the real secret is our security awareness lessons are presented in an easy-to-understand format that is relevant for all users in your organization, both at work and in their personal lives.
Training Done Right. Not all security awareness training for employees is equivalent. Training that involves just watching videos and cartoon-figures offers low success rates. Our security awareness training is designed to be compelling and sticky by using a combination of instructional design best practices, high quality graphics and animations, and custom-designed, targeted content.
Day-One Ready Security Awareness Program
You are responsible for keeping your organization cyber secure. Your security awareness program is just one of your many responsibilities. We make it simple and quick to get your cyber awareness training going on day one.
You can rely on our proven methodology, deep cybersecurity knowledge, and security awareness training experts to deliver a comprehensive curriculum of security awareness lessons covering the critical cybersecurity topics that your employees need to know. Our cyber awareness training is designed as packages, customizable to your needs, which we can rapidly deploy to launch your security awareness program.
CORE Security Awareness Training
The Security Mentor CORE training program trains employees on 12 critical security awareness training topics quickly, economically, and effectively. Security awareness courses include:
- Intro to Security Awareness
- Computer Security
- Email Security
- Incident Reporting
- Password Security & Management
- Office Security
- Phishing
- Social Networking
- Web Security
- Public WiFi
- Mobile Security
- Information Protection
ADVANCED Security Awareness Training
The Security Mentor ADVANCED training program addresses key cybersecurity topics and builds upon the foundation laid in the CORE Security Awareness Training program. Lessons include:
- Ransomware
- Social Engineering
- Data Loss Prevention (DLP)
- Safe Disposal
- Internet of Things
- Cloud Security
- Privacy
- Working Remotely
- Travel Security
- Insider Threat
ROLE-BASED & COMPLIANCE Security Awareness Training
The Security Mentor ROLE-BASED & COMPLIANCE training programs focus on providing cyber awareness training for staff who handle sensitive data, or have key responsibilities or positions that require targeted information security training. Lessons include:
- System Administration
- HIPAA
View a brief summary of all Security Awareness Training lessons from Security Mentor
Security awareness training, commonly also referred to as cyber awareness training, teaches employees about cyber security threats and risks (e.g., email attacks, ransomware, data breaches, data leakage, mobile device loss and theft, and insider threats), and provides them with the knowledge and skills needed to protect against a cyber attack, as well as how to avoid making security mistakes. Security awareness training is a key part of organizational cyber resilience.
Online training, also referred to as e-learning, is training that is delivered digitally. A computer or mobile device is used to access the online training. Today almost all online training is delivered either over the public Internet or an organization's Intranet. Benefits of online training include:
- All employees can receive the same training regardless of location, this has become especially important since the COVID-19 pandemic began
- E-learning materials are available 24x7
- Employees can take training at the pace that best fits their learning experience
- Many training programs offer features employees love such as bookmarking (i.e., reopening a lesson where it was last closed) and training completion certificates
- Victim of a phishing attack
- Mobile device is lost or stolen
- Password errors: weak passwords, reused passwords, shared passwords, and inappropriately stored passwords
- Use of shadow IT applications and services
- Inappropriate use or sharing of information
- Failure to encrypt sensitive information
- Attaching unauthorized, insecure devices to the corporate network
- Inadequate software security, including poorly configured and out-of-date software
- Connecting to insecure or malicious Wi-Fi hotspots
- Insecure remote work environments
Gamification is the application of game-based theory as a form of engagement. In online training, trainees earn points, badges, or other rewards for meeting training goals, such as training participation or course completion. Leaderboards are used as another form of engagement using competition to further motivate trainees.
A serious game is an e-learning game that is designed to provide both enduring knowledge and teach skills. Serious games are not purely for entertainment. Serious games do incorporate entertainment like fun, engagement, exploration, problem solving and learning-by-doing as a way of promoting both engagement and learning.
Information security is complex, expansive, and rapidly changing making it difficult for many employees understand, let alone apply to their daily work and lives. By using serious games, cyber awareness training can teach the critical skills employees need to understand cybersecurity threats and risks in a way that is both approachable and understandable. Serious games are most effective when they are interactive, engaging and fun, thereby creating a learning experience where people want to learn and the learning is sticky. A good example is how to identify a phishing attack. Just describing what phishing is and how to identify phishing messages can be very dry and difficult to understand, yet a serious game can easily convey the same knowledge by using real examples with interactions that are visually informative, and at the same time, teach and reinforce the ability to identify phishing messages. Hand-in-hand with serious games, using gamification in cyber awareness training, provides positive reinforcement, rewarding employees for their training successes like training completion. Leadership boards provide friendly competition increasing overall participation. Leadership boards are especially effective when combined with recognition or rewards for the top individuals and groups. By incorporating serious games and gamification, security awareness training both maximizes learning and participation, as well as increasing knowledge retention.
Training, especially cybersecurity training, is best delivered in small, digestible bites. The ideal length for a security awareness course should be about 10 minutes, long enough to provide real training, but short enough to be easily remembered and to fit into busy schedules. Some security awareness training courses take the approach of being extremely short, lastly only one to three minutes. While this approach can be effective for raising awareness or providing reminders, it is not long enough to explain a cyber threat or cyber risk and then teach the cybersecurity skills necessary to protect against it. Nor is there time to include games and exercises in training which enable trainees to practice newly acquired skills.
Compliance requirements often mandate cybersecurity training for employees be delivered at least once per year. Annual training might check the box to meet the compliance requirement, but it isn't the ideal way, or even a good way, to train employees. When a large amount of information is delivered all at once, employees not only can't absorb it, but they feel overwhelmed and lose attention. This is even more true for cybersecurity training, which can be technical and complex. Instead, think about how people best learn. Deliver cybersecurity training in bite-sized nuggets that are given frequently. We recommend monthly training. This approach both maximizes learning and employee productivity.
Punishment is never a good approach to employee cybersecurity. Most employees want to do the right thing, but often don't understand what cybersecurity is, why it is important to their organization, how their decisions and actions effect cybersecurity, and what they should do to be cyber secure. Taking a positive approach to help the employee understand their error and why it poses a risk, will be the most successful approach to prevent future cyber mistakes. Furthermore, by having an open, positive dialogue with employees, a culture of security is created, one where employees can openly ask questions and feel safe in reporting cyber incidents without recrimination, thereby becoming a strong cyber defense for the organization.
A security awareness program for remote workers should include many of the same topics that are covered in your regular security awareness curriculum. In addition, training should cover threats and risks that are either unique to remote work or hybrid offices, or are of greater concern in these work environments:
- Practicing good computer hygiene (e.g., use anti-malware software, keep software updated, run a firewall)
- Controlling access to devices and data
- Password security and management
- Securely configuring home networks
- Proper encryption of sensitive information at rest and in transit
- Protecting remote offices from burglary
- Working remotely in public spaces
For more information, see our whitepaper on Securely Transitioning to a Remote Workforce: A Checklist to Protect Your Employees. Security Mentor also offers two security awareness programs focused on Remote Worker Security.
Employee security awareness training entails various costs including the following:
- Creating cybersecurity training content
- Designing and implementing the security awareness training courses
- Administering the security awareness program including tracking employee participation
- Regularly reviewing and analyzing training reports
- Employees' time expended to take cyber awareness training courses
Of all the business costs, the single greatest cost is employees' time. Each employee has to go through and complete the cyber awareness program. If the cybersecurity training does not capture employees' interest or if they don't understand it, there are several potential outcomes: a) employees will not take the training at all, or they will not complete it; b) they will take training as fast as they can to meet the requirement, getting little from it; or c) they will not understand or remember the information security content. When training is of poor quality, the costs are not only the loss of employees' time, but the organization's financial and management investments. Most importantly cybersecurity will not be improved, leaving the organization vulnerable to cyber security incidents. This is why it is critical to provide high-quality employee security training that is both engaging and effective.
Security awareness training ROI can be determined in multiple ways, each can be used individually or combined to form a more complete picture:
- Reduction in the number of cyber security incidents (e.g., phishing clicks, malicious attachments opened, lost or stolen mobile devices, clean desk violations, weak passwords)
- Increased reporting of cyber security incidents by employees (e.g., suspected phishing emails, suspicious behavior, self-reporting of cyber security mistakes made by employees)
- Legal and regulatory compliance met
- Reduction in business cost of responding to cyber incidents
- Employee engagement and participation in cybersecurity, such as sharing ideas and concerns
- Positive feedback from employees about the cyber awareness program
Repetition creates the strongest learning. Most experts recommend that learning material should be repeated three times to maximize learning and retention. This is even more important for cyber awareness training where some of the concepts can be challenging for employees, and the information is rapidly changing.
Deep fakes are manipulated audio or video media that use machine learning, and more recently artificial intelligence (AI), to manipulate the video or audio of a person to impersonate another person, so that the impersonated person appears to say things they never said and do things they never did. Readily available software has enabled deep fakes to be easily created. Thousands of deep fakes are now on the Internet, deceiving viewers and spreading misinformation. There is a growing concern in business that deep fakes will be used to commit fraud or provide misinformation about the health or status of organizations.