Security Awareness Training: More than a Regulatory Mandate

Security awareness training helps strengthen the weakest link in the security chain — humans. A well-designed training program will help users understand security risks, recognize threats and avoid falling victim to social engineering attacks.

Because of these benefits, security awareness training is required by many government and industry regulations. Here are a few examples:

• Any organization that accepts debit or credit cards must comply with the Payment Card Industry Data Security Standard (PCI DSS), which mandates training on how to protect cardholder data.
• Financial services firms must provide training on PCI DSS, Fair and Accurate Credit Transactions Act (FACTA), Gramm-Leach-Bliley Act (GLBA) and Sarbanes-Oxley (SOX) requirements and prepare users for common attacks the industry faces.
• To comply with the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations must train users on how to secure personal health information (PHI).
• Educational institutions must provide training on the Family Educational Rights and Privacy Act (FERPA), which includes an array of controls for protecting sensitive data.
• Government agencies and contractors must comply with numerous regulations that include a security training component.

Security awareness training builds a stronger defense against cyberattacks, not just for compliance.

In addition, several state laws and industry standards and frameworks mandate security awareness training. Organizations that store or transmit the data of European Union (EU) citizens may also have to comply with the General Data Protection Regulation (GDPR), which requires users who have access to such data to receive appropriate training.

Keys to Successful Security Awareness Training

Security awareness training programs have an obvious budgetary and operational impact. These programs cost money and can eat into work time, so business leaders are often reluctant to invest in them. Other issues include a general lack of understanding about the importance of training, a lack of consistent, ongoing training, and a lack of real-world testing to verify that employees are retaining the training lessons.

With those challenges in mind, here are some of the critical success factors for a training program:

1. Leadership support. Security awareness training can’t be driven by information security and IT staff. Senior leadership needs to champion and participate in the program.
2. High-quality, relevant content. A lengthy PowerPoint presentation will not be effective. The best programs feature a mix of interactive modules, videos, games and other types of informative content to serve different learning styles. The content should be relevant to the user’s role and the types of threats the organization faces.
3. Regular delivery. A German study found that users tend to forget most of what they learned within six months. Training should be repeated regularly to reinforce the materials and build on core concepts as threats evolve.
4. Frequent testing. It’s important to test users frequently to gauge the effectiveness of the training program. In addition to quizzes and games, organizations should conduct simulated cyberattacks to determine whether users can identify threats.

Most importantly, security awareness training shouldn’t be a box-checking exercise to meet an annual compliance audit. The goal should be to create a security culture that promotes each user’s role in preventing cyberattacks. Security isn’t just the domain of the IT department. Administration, operations, finance, sales, marketing, HR and executive leadership must all do their part to protect systems and data.

Let GDS Help You Transform Security Awareness Training into Your Strongest Defense

GDS offers the award-winning KnowBe4 program for organizations that want consistent, ongoing training. In addition to giving organizations access to the world’s largest library of security awareness training content, KnowBe4 uses fully automated, simulated phishing attacks to test employee knowledge. Let us help you reduce risk and stay compliant by transforming your workforce from the weakest link into a powerful layer of defense against cyberattacks.

Benefits of Managed IT Services from Global Data Systems

• Strategic Managed IT: We help you solve your technology related business problems.
• Connectivity: We get you reliable, secure connectivity anywhere in the western hemisphere in 48 hours.
• Support: When you need help simply call our 24x7x365 support number.
• Billing: Instead of managing hundreds of vendors - get one, easy to read bill from GDS.

Contact Managed Services Provider, Global Data Systems >