From Employees to Allies: The Importance of Security Awareness Training 

This article was written by Nicholas Cozzolino, Director of IT and Security Operations & Kati Wheeler, Senior Manager, Learning & Development

October is Cybersecurity Awareness Month! Every year since 2004, the month of October has been dedicated to raising cybersecurity awareness. Today, 19 years later, cyberattacks and data security breaches continue to grow at a record pace year after year, making cybersecurity awareness more important than ever.

As of 2022, top cyber security experts reported that human error caused 9 in 10 data breaches. As a result, businesses recognize that employees pose a significant risk to information security despite strong information technology infrastructures. As the cybercrime landscape continues to change and scams are becoming increasingly sophisticated, organizations are more dependent on employees to be a critical line of defense in preventing a data breach. How can organizations turn employees from a security risk to a security asset? The Bonadio Group achieves this in two ways: by providing a comprehensive security awareness training program to employees and cultivating a culture of security across the organization.

Security awareness training is critical employee education designed to raise awareness and provide guidance around security threats, risks, and best practices for protecting internal and client’s private information and resources. The goal is to turn employees into security assets by helping them recognize and handle phishing, vishing, smishing and other threats. Equipping employees with knowledge and skills to identify and mitigate potential security risks protects the organization from cyber-attacks, security incidents, and breaches.

The Bonadio Group is in its seventh year of providing security awareness training programs to employees. As our program has evolved, we have covered a variety of topics while staying up to date with current global and industry trends. Through our experience, we have identified six critical topics to include in any awareness program.

Six critical topics to include in any awareness program:

1. Phishing & Business Email Compromise attacks and how to avoid them
2. Password security and management
3. Safe internet browsing practices
4. Social engineering and other types of cyber attacks
5. Reporting security incidents and suspicious activities
6. Data protection policies and procedures

These topics apply to any type of organization, but the key to effective training that delivers results is to fit it your organization’s needs. The content must be relevant and relatable, designed to address the unique needs and challenges of your organization. For example, while retail organizations might focus on threats such as supply chain attacks and attacks on IoT devices (i.e., such as Point of Sale systems), finance and accounting organizations might focus on social engineering (IRS impersonators) and document exchange service frauds. Including examples of past security incidents and potential threats your organization has experienced in training programs is a powerful way to drive employee understanding and action in protecting organizational data. Using examples of email, social media, or recruiting scams that have hit your organization provides real-life scenarios that better equip employees to recognize and report attacks and are more likely to take ownership of their role in keeping the organization (and their jobs!) safe.

As your program evolves and your culture of security matures, consider including the following six tactics to create a robust program:

1. Involve leadership. Leverage the voice of executive and upper management to communicate the importance of information security and the awareness program. When management actively promotes and participates, they demonstrate a commitment to protecting your organization's assets and reinforce the importance of security awareness to all employees. This helps create a culture of security throughout the organization and encourages employees to take security seriously.
2. Start at the beginning. Train new hires within their first two weeks on the job. New employees are a hot target for cyber scams. Educate them from the start to establish good habits nurture a culture of security from the ground up.
3. Continuously communicate. Employees should ALWAYS be thinking about security. With the rapid pace of change in the cybercrime arena, fortify your defenses with regular communication to employees about current and future threats and best practices. Continuous reminders keep information security top of mind.
4. Ask for feedback. Soliciting feedback is essential for ensuring the program is meeting employee and organizational needs. By gathering annual feedback from participants, you can customize the program to better fit their needs by modifying the content, delivery method, or frequency of training. Soliciting feedback also promotes a culture of security by showing employees that the organization values their input and is committed to addressing their concerns.
5. Provide a scam reporting tool. New threats emerge daily. Fill the gap between trainings and communications by providing a resource to your employees to report potential threats. Instruct your employees to forward suspicious emails to someone on your Information Technology team or to your helpdesk ticketing system. The benefit is twofold: it alerts IT of an attack, and you can use the email to train employees on the fly and as an example in future training programs and communication. Your IT team can use free tools like https://checkphish.ai and https://virustotal.com to inspect senders, links, and attachments for malicious content.
6. Test the effectiveness of your program. Perform phishing simulations or penetration tests to gauge employee ability to recognize and report fraudulent emails and threats. The goal is to see a continuous increase in the number of reports received and a reduction in the number of clicks on simulated links. When these numbers improve, it is a key indicator that training, and communications are making an impact.

Implementing these tactics guarantees an effective security awareness program. It increases employee engagement and moves the needle on creating a culture of security. Training cannot be a one and done initiative if you expect to see results.

If you utilize vendor-provided security awareness training and program solutions such as canned live training, automated training, and phishing simulations, in most cases no single tool provides a complete solution. Use these as a supplement while also providing organization-specific content that empowers employees to recognize your organization’s unique needs while promoting a culture of security. Invest time and resources to develop and deliver live or webinar style training that relates directly to your organization. This will have the greatest positive impact. Vendor-provided security awareness has its place but should be a supplement to your program.

Finally, ensure your efforts are worthwhile by measuring the success of your program. Year over year, an impactful program will show continuous improvement within the organization, and you have the data to demonstrate this. For example, you can measure attendance against the number of security events/incidents over time. If you perform phishing simulations and penetration tests, you can add those results your metrics. It’s important to include participant feedback too. By measuring the success of the program, your organization can identify areas of improvement and make necessary adjustments to enhance the program's effectiveness.

Developing and maintaining a security awareness program can be time consuming, but providing a robust security awareness program is key to keeping your organization safe and secure. Use this training to turn all your employees into “human firewalls.” Employees are your first line of defense against cyber-attacks, turn them into security assets instead of security risks by providing education and building a culture of security.

If you need further guidance or have any questions on this topic, we are here to help. Please do not hesitate to reach out to discuss your specific situation.

This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.