Security Awareness for Any Business

Another headline that reads, “Company X hacked! Six million customers were affected.” This is the third time this week. Reading through the article, I see it says an employee clicked a malicious link from an email. Unfortunately, being in this business for over 10 years, I read on unfazed. For what has seemed like forever, emails have been the prime delivery mechanism for hackers and scammers. Why has it not evolved? That’s because it still works. Why change something that still works well (3.4 billion phishing emails are sent every day.)  What also hasn’t changed much is the approach to “Security Awareness and Training” programs. There are quite a few solutions out there that help you automate and spread the word with ease. I have used some of them, and they are pretty cool (one company was started by one of the most notorious hackers in the pioneering era of hacking), however there seems to be something missing. 

What’s Missing?

I’m glad you asked. This blog would be pointless to just hear me rant. I digress. There are quite a few components missing. If there are so many security awareness solutions out there, why is phishing still so successful? First, let’s just lay the foundation here. Security awareness and training is just a nice way to say, “behavior modification.” This awareness and training program is trying to change your employees’ behaviors and computer habits. This is not a bad thing, but if your employees are not changing their computer habits, then the solution you bought isn’t sinking in. 

Bring it Home

The first component is having something they can take home with them. This means providing them with relevant training that can help them protect their own personal lives as well as their work for your business. An employee who is as vigilant with their own data will likely take the same steps to be vigilant with your business data. One way to do this is to create the “bring it home” mindset to focus on their personal data protection first. Ensuring they know the importance of protecting their own data will start to create an understanding of why they need to do the same for your business. So, make it personal.

Role-specific Training

The second component is to attach the importance of information security vigilance to their role. Role-specific training is essential. Broad-spectrum training does some work, but there must be a more detailed way that one specific employee can make a difference in their role. If they are in human resources, provide the importance of protecting employee data and how security features on their devices do that. Again, make it personal. 

Industry-specific Training

The final component is relevance to the business. If you are in a specific industry, train around the threats that are specific to that industry. Not all cyber attacks are the same and happen in every industry. Make sure it aligns to the risks of your business. Unneeded training degrades the trust that the training is relevant to your employees. Finally, make it personal. 

Many of these training solutions have a combination of components but not all. Your business needs to incorporate all of them. Find ways to, in the end, make it personal to them. Create awareness campaigns and make them fun! Giveaways and prize programs can create interest. Personalization will make it last. 

We’re here to help. Reach out and schedule a training today.

If you need any assistance in security and awareness training for your organization, protasec can help. protasec specializes in information security which includes security awareness training. protasec’s method brings a combination of all three components to give your employees a comprehensive and lasting understanding to the threats to your business and how to protect themselves (and your business) from those threats.