A Practical Guide to Building a Security Awareness Program

A-Practical-Guide-to-Building-a-Security-Awareness-Program-banner-2800-x-1600
A-Practical-Guide-to-Building-a-Security-Awareness-Program-banner-2800-x-1600

Thinking Like a Criminal Hacker

A popular philosophy in cyber security is to “think like a criminal hacker”. So, let’s do a thought experiment. If you were a criminal, how would you attack your organization?

One choice would be to attack your network. This could involve extensive reconnaissance to map your network topology, identify open ports and running services, and look for vulnerable systems.

A second choice is to conduct a phishing attack to trick users into providing their credentials, installing malware, or paying fraudulent invoices.

Which would you choose?

The first choice – a network attack – requires malicious hacking skills, a lot of work, and no guarantee of success. Most organizations have at least basic defenses to stop casual attacks. You may get a foothold then be detected and have to start over again or choose another target.

The second choice – a social engineering attack – requires very little work and only modest skills. You simply identify employees on LinkedIn, craft a few emails, and send them off to dozens or hundreds of users. You can even attack multiple organizations simultaneously. Tricking a single employee allows your to launch a ransomware attack, steal credentials for a deeper attack, or make quick money with a fake invoice. They could also turn to “Phishing-as-a-Service” (PhaaS), where they can “rent” ready-made phishing kits on the dark web. These services provide criminals with phishing templates, email lists, and automated tools to scale their attacks easily. With PhaaS, even criminals with minimal technical skills can launch sophisticated social engineering campaigns, targeting multiple companies simultaneously.

Pretty simple choice, isn’t it?

Insiders Also Present Risk

Criminals prefer social engineering attacks because they are simple and effective. Users are busy and make mistakes. They want to respond to “the IT help desk” when they receive an email that asks them to enter their credentials. They want to be responsive to the email that appears to be from a senior executive asking them to pay an invoice quickly.

But busy users present other risks as well.

To be clear, not every insider is a threat, but anyone who handles sensitive data can present risk. For example, from 2015 to 2023 over 100,000 emails intended for military personnel were sent to an email server in Mali when senders inadvertently ended email addresses in “.ml” instead of “.mil”

A study at Stanford University found that 88% of all breaches are caused by human error. This can include sending data to an incorrect email address, losing a laptop or phone, using personal cloud storage accounts, or adding sensitive data to emails. The World Economic Forum believes the problem is worse. They found that 95 percent of cybersecurity incidents occur due to human error. These errors can result from work pressure, distractions, and unclear policies and procedures for handling sensitive information.

Why Organizations Need a Security Awareness Program

The biggest obstacle to protecting your organization from cyberattacks and inadvertent errors is often lack of training. Users without adequate cybersecurity training or education on data protection best practices may not fully understand the potential consequences of mishandling sensitive data, leading to unintentional errors. Social engineering attacks work because your users are focused on doing their jobs, not on security.

Security awareness training gives employees the knowledge and skills needed to recognize and avoid potential threats, reducing the likelihood of mistakes that could lead to successful social engineering attacks and accidental data breaches.

Implementing a security awareness program also fosters a security culture in the organization, creating a “human firewall”. As users become more vigilant and proactive in identifying and addressing potential threats, they contribute to a more secure working environment. 

Finally, a security awareness program is a cost-effective measure to reduce the risk of costly cyber incidents. According to IBM’s Cost of a Data Breach Report 2024, the average cost of a data breach is now $4.45 million globally, with human error and compromised credentials being significant factors. By investing in proactive training to prevent these vulnerabilities, organizations can avoid the steep expenses associated with data breaches, making security awareness training a more economical and preventive approach.

Why Some Security Awareness Programs Fail

Not all security awareness training programs are successful. The reasons some fail are consistent:

  1. “Tick box” Approach to Security Training: Organizations that treat security awareness as a compliance requirement rather than a valuable educational opportunity. This approach can result in uninspiring training that fails to engage employees, leading to poor retention of information and continued risky behavior.
  2. Event-based Training: Many organizations approach security awareness training as a one-time event rather than an ongoing process. When training sessions are events held once or twice each year and not reinforced, students do not retain knowledge. Successful programs require a sustained effort to keep security practices at the forefront of employees’ minds.
  3. Uninspired Training Content: If training materials are boring or outdated, employees are less likely to participate actively or retain what they learn. Engaging content that reflects real-world scenarios and incorporates interactive elements can significantly enhance the learning experience.
  4. Failure to Collect Metrics: Organizations that do not measure the impact of their programs may miss opportunities to refine and adapt their training to better meet the needs of their workforce.

Building a Successful Security Awareness Program

Organizations of any size can build a successful security awareness program by following key best practices:

  1. Get Executive Support: Any enterprise initiative requires executive support for success. If organizational leaders don’t embrace the need for a security awareness program, they are likely to view it as an impediment to productivity. Senior management must sign up for the same rules (and training) as rank and file employees. Regular messaging directly from senior leadership about the need for cybersecurity hygiene – and why it is a priority for the business – helps build a long-lasting security culture
  2. Start With the Basics: Make sure your users know what is and isn’t permissible. Review your Technology Acceptable Use Policies, publish them, and make sure all employees acknowledge that they have read them. This should include use of personal devices and applications like DropBox and AI websites.
  3. Don’t Assume Security Knowledge: Using a strong password and never sharing a password is second nature to IT and security professionals, but many users still opt for easy to guess passwords. Explain what phishing, smishing, and business email compromise are and why criminals like them.
  4. Use Engaging Material: Social engineering training should be frequent and engaging so that information “sticks” with employees. Good security awareness training material reduces resistance, keeps users’ attention and improves knowledge retention.
  5. Reinforce Constantly: Nobody learns a new skill through a one-time event. Short and timely computer-based training videos and graphics are a good way to reinforce more formal training.  Include quizzes to confirm knowledge transfer and track students’ score for internal and regulatory compliance purposes.
  6. Double Down on Phishing: As phishing attacks and business email compromise attacks become more difficult to identify, it becomes more critical to bolster training exercises. Make phishing simulations part of your regular routine. These mimic real attacks hackers use to attempt to trick users into revealing their credentials or clicking on malicious content or links – without damaging the organization.  
  7. Keep it Fun: Adding an element of fun to your program can enhance engagement. Many organizations adopt recognition initiatives, such as rewarding employees who successfully pass phishing simulations or creating scoreboards to encourage friendly competition among departments. By incorporating gamification, rewards, and recognition, you can generate excitement around your program and foster a more approachable security culture.

How To Get Started

Defendify helps IT teams build and mature their security awareness programs. Our all-in-one platform includes policy and training modules that help educate your team to identify and defend against evolving cyber threats.

Want to learn more?  Book a no-pressure conversation with a cybersecurity expert.

Protect and defend with multiple layers of cybersecurity

Defend your business with All-In-One Cybersecurity®.

Explore layered
security

Learn more about Defendify’s three key layers and All-In-One Cybersecurity®.

How can we help?

Schedule time to talk to a cybersecurity expert to discuss your needs.

See how it works

See how Defendify’s platform, modules, and expertise work to improve security posture.

Take the first step toward comprehensive cybersecurity with a free Defendify Essentials package

Gain access to 3 award-winning cybersecurity modules. Nothing to install. Nothing to pay for.