Importance of an effective security awareness training program for technology companies
by: Jazib Frahim, Vice President, Product Security
The number of reported security breaches is on the rise, and attackers are using creative ways to penetrate the defensible layers of the organizations. The cost of a single breach could be in millions of dollars, depending on the size of the breach. More importantly, a breach could cause brand impact and loss of customer trust, which could take years to recover. Unfortunately, human error is the leading cause of most successful cyberattacks, and 91% of cyberattacks start with a malicious phishing email.
Organizations must protect and secure their data by cultivating a security culture and investing in ongoing cyber and application security awareness training to avoid potential breaches. The development of the security mindset is especially true in the current environment where organizations are giving employees flexibility by adopting hybrid (or even full-time) remote work models. Having effective awareness training reduces the risk from constant threats and improves the overall security posture to defend against any attacks.
Employers expect hundreds of thousands of employees to invest their time in security awareness training, and teams responsible for running them must find ways to make them effective. Before building a training program, start by answering two fundamental questions:
- What are we trying to achieve with the training program?
- How do we measure the effectiveness of the program?
The answer to the first question should be simple - employees must keep security at the forefront of everything they do at home and in the office. Should they click a link when they receive an email from an unknown sender, or should they first analyze the email source and domains? Should they copy data from the corporate server to their workstations? Should they plug in a USB drive given to them at an event or by a stranger? The program's goal should be to develop a security-focused mindset to understand the attack vectors and thwart the evolving threats.
Secondly, the organizations must define appropriate metrics to measure the success of the program. The metrics shouldn't be based simply on employees completing the training but rather on people's knowledge of the content. Management should have a way to collect feedback from employees regarding what is working and what is not. This feedback loop provides an opportunity to connect with the employees and make the training more effective.
A training program should include a set of guidelines to make content more engaging and effective. A brief discussion of some of those guidelines are below:
- The training should not be too long. We all know that long training sessions are ineffective as people lose focus after about 10-15 minutes. Program administrators should offer modules that focus on specific topics while keeping the length to 10-15 minutes
- Not all security content is relevant to all employees; program administrators should customize content based on an employee's role. For example, security content for web developers should be different from the content for a product manager.
- Employers should give employees the option to complete the training at their own pace. Program administrators should treat security training programs as an opportunity for the employees to manage their training schedule by completing the appropriate modules within the acceptable timeframe and not as a compliance checkbox
- Training content should be as interactive as possible. Employees should have the opportunity to practice their learning by answering relevant questions or by solving challenges
- Program administrators must ensure that security content is updated periodically to cover new case studies relevant to the evolving threat landscape. Making employees go through the same content every year typically sends a message that management's training initiative is not a priority.
- Training content should encourage the employees to be vigilant about their environment and stress the importance of reporting any suspicious activity to their management or corporate security teams
Acuity Brands, knowing the value of an effective training program, adheres to the abovementioned guidelines and has invested heavily to offer various training opportunities to its workforce. We require employees in our technology teams to participate in a Security Journey program that starts with a white belt, covering essential security topics. Employees demonstrate mastery of their understanding and ability to implement core security principles into all development activities by obtaining yellow, green, brown, and black belts.
Additionally, our internal security teams develop customized training content to enhance the learnings of various technology-specific groups – in the areas of applications, firmware, or hardware development. We regularly connect with our technology teams, from engineers to the leaders, to collect feedback and work with our training providers to keep evolving the content.
While still a young program with this investment level, we are experiencing great results in the overall security improvements within our code. At the same time, we see increased engagements from our workforce to get guidance when they are unsure about certain events or when they see suspicious activities in the organization.