Did you know that 90% of successful data breaches in 2017 were caused by human error?
*2017 Verizon Data Breach Report
Security awareness is now being regarded as a top three security necessity, alongside firewalls and endpoint protection. It’s importance is highlighted even more so in the wake of strict compliance and audit requirements being placed on organisations of all sizes.
Users, what we like to call, the ‘Human Firewall’ are on the front lines of your business, and even the most advanced security can’t stop them from willingly, if unwittingly, handing over sensitive access credentials. If you’re not educating your users, then you are putting your organisation at unnecessary and costly risk. Poor email & internet safety, mobile security, identity theft, phishing and social engineering can cause serious damage to your organisation. BUT, by addressing these increasing threats you will add a significant layer of security to all your existing security measures.
Here are a few tips for managed service providers (MSPs) and SMBs on getting started with end user education:
1. Introduce to Stakeholders
Like any new program, building a foundation for success begins when you engage your stakeholders and management teams. Send an email explaining the value of security awareness to management, share details and reports around your first phishing and training campaigns. Perhaps;
2. Start out with a Phishing Campaign
Consider starting your security awareness program with an engaging and real-life simulated phishing campaign. The results of the simulation can also be used to demonstrate value to any more sceptical or reluctant IT decision-makers. Use the first phishing campaign as your baseline to gauge the level of awareness your end users already have. Mimic an internal communication from HR or the IT department to get the most eyes on the email.
3. Share results with End Users
Use feedback to inspire smarter habits. A key objective for security awareness training is to engage end users and raise the level of cyber awareness throughout the organisation.
For instance, sharing the results of a simulated phishing campaign can help employees understand the impact of poor online habits and motivate them to practice better behaviours. Security Awareness Training lets admins see who clicked what in a phishing simulation. Bear in mind, the point of sharing results is not to shame the unwitting marks who fell for the scam. Instead, try capitalising on everyone’s engagement by sharing an overall statistical report, so users can recognise whether they clicked or avoided the phishing lure, without fear of embarrassment. More importantly, such a report would show the statistics around the organisation as a whole opening the door for further training programs to fill security gaps and provide a continuous learning experience.
4. Continuous Tailored Training: Set up your phishing and training program
Once end users are engaged and understand the value, the next step is setting up a training program. There is no one-size-fits-all program, but we recommend running at least one to two phishing campaigns per month and a minimum of one to two training courses per quarter. Depending on the needs of each organisation, you may want to increase the frequency and adjust intervals throughout the year.
When you start seeing the significant impact that relevant, high-quality, and proven security awareness education has on your employees, you’ll wonder how your business ever managed without it. If you would like to find out more, then feel free to get in touch with our team here at CT.
