Security awareness training is a critical activity to raise awareness of security threats amongst your employees. Security is only as effective as the weakest link, which means your employees are often the greatest liability when it comes to information security.
Security awareness training is typically conducted via one of three methods:
- In-house developed training: Often the most cost-effective and sometimes the most effective in practice, is to develop your own security awareness training. This may leverage open-sourced materials on general security threats and awareness, to be combined with specifics that apply to your environment, policies, and actual threats that have been observed. These latter elements can make the security awareness training more practical and help your employees understand its actual relevance in your way of operating.
- Outsourced training: A more expensive but potentially gold-standard method, is to engage an expert security consultancy to develop and deliver the training to your employees. This might be generic, or tailored to your organisation. It leverages security expertise and saves your teams time from developing the training content.
- Online / Platform delivered training: An increasingly common approach is to leverage online providers or platforms to deliver the security awareness training. Security and compliance platforms either include their own, or integrate with other providers. This training is generic in nature, and can be delivered as modules that you select or just a one-size-fits-all training program. It serves the benefit of meeting compliance requirements and raising general awareness, but without the tailored content that relates to your own environment, policies, and ways of operating.
In any case, security awareness training should consider the following:
- Security threats like social engineering (eg. phishing), password attacks and vulnerability exploits;
- Security requirements like those covered in the security policies, eg. multi-factor authentication, strong password settings, and general security behaviours;
- Compliance requirements, for example how EU personal data is managed to comply with GDPR, or restrictions on Consumer Data Right data for data collected through the CDR regime;
- Incident management and response plans, for employees to know how to handle security incidents; and
- Key resources and contacts for the security team, relevant policies and plans like the incident management policy and response plans.