The Case for Annual Security Awareness Training
Training Annually vs One-Off Training
Anything short of annual IT security awareness training, at a minimum, is difficult to consider a legitimate training program at all. Unlike many components of an employee’s duties, comprehensive IT security training includes addressing some events that hopefully never occur or may be few and far between, and rehearsing how to respond. Because major security events are generally rare within an organization, proper procedures for responding to these incidents are not routinely reinforced through repetitive performance, unlike other roles in which an employee engages in routinely.
For example, a member of the accounts payable group may routinely process legitimate invoices. Initial job training for this task is regularly reinforced through day-to-day, week-to-week, or month-to-month processing of these invoices. Any changes in the procedures are likely minor, communicated immediately by management, and put into practice immediately, so the employee remains current on company standards. A major change, such as a new payment-processing system, often includes complete training, which will immediately be reinforced through the normal work routine. IT security issues, especially those that may potentially be catastrophic, are hopefully rare within an organization and an employee does not become familiar enough with them to the point that they are second nature, as they should ideally be.
An awful lot can change within a year, and frequently does within the IT security landscape. New threats continuously emerge, internal security personnel and reporting policies change, hardware and software are updated or replaced, and more. Any of these changes can drastically change how staff should respond to an incident and items that they may be responsible to monitor.
Many in upper management push back on requests to fund training initiatives, as they mistakenly believe that their firm provides sufficient and ongoing training. Frequently, these managers do not understand the difference between education and training and thus why training is necessary. Differentiating between training and education clarifies how crucial an annual IT security training program is and, once understood, managers can become much more receptive to an annual training program. While there is overlap between the two, education may be thought of as knowing and training can be considered as doing. A company releasing a memorandum on new procedures may be thought of as education, which is the typical norm for organizations. Training, however, is walking through those procedures on a simulated system. This is an important distinction, as it is one thing to know what to do (education), and quite another thing to know how to do it (training).
What are the Benefits of Annual Security Awareness Training?
Annual security awareness training helps staff to recognize and respond to threats. This not only reduces the number of threats that are mitigated before manifesting, but it also minimizes damage done by any undetected threat in terms of financial or data losses, downtime, or other interruptions caused by an attack or other incident. Reducing the likelihood of a threat materializing and addressing those that do in the most efficient and effective manner saves a firm in financial damages accrued. It can also save or bolster an organization’s reputation in the marketplace, which is invaluable.
Employees, contractors, and vendors who are comfortable with a company’s security procedures will typically have higher morale. Most of these parties who help an organization deliver their products or services want to do so in the best and most secure way possible. Knowing that they have the best and most current information available will instill confidence in the employee, contractor, or vendor, which will be reflected in performance of job duties.
The confidence instilled through security training will spill over into all duties that personnel are charged with executing. It is difficult for a customer service rep, salesperson, or any other worker to comfortably interact with a client if, in the back of their mind, they are concerned with whether or not they are meeting security standards or if they may be questioning their response to an earlier potential threat on another transaction.
A tangential benefit that parties receiving IT security training at work receive is increased protection of their personal devices and data. A firm receives no direct benefit from an employee having a better protected PC at home, but the employee certainly appreciates it. Thus, the employee is grateful for this information and it helps to boost morale.
Annual SA Training Business Impact
Specific policies and procedures, in many cases, should be confidential and not accessible to outside parties or even internal parties who do not need to know them. However, the existence of an annual IT training program is noteworthy and something that a firm can broadcast to customers and the public at large. Those considering doing business with a company will be comforted to learn that the organization is taking a proactive approach to protecting their personal information, products, funds, and any other items which may be adversely impacted by a security breach. This, in turn, can boost sales.
Dr. Larry Ponemon, of the highly-regarded Ponemon Institute, is a fervent believer in the positive impact IT security training has on an organization. The Ponemon Institute publishes one of the most trusted annual reports on IT security, based largely on surveys of industry professionals. In order to segregate and rank firms on their IT security status, the institute has identified six areas to evaluate. They are:
- Uptime – this can easily be measured by how much time an organization’s systems were unavailable due to a security breach.
- Compliance – how well a group conforms to all applicable laws and regulations. This metric may also be quantified through audits that will uncover the number of procedures that may not comply and a percentage can be derived from those calculations.
- Threat containment – this is determined by an organization’s ability to thwart or rapidly identify external IT security threats. These threats are characterized as cybercrime, social engineering, or malicious attacks.
- Cost efficiency – this measures the return on investment for an organization’s outlay on IT security initiatives.
- Data breach prevention – this qualifies the effectiveness of a firm in preventing or detecting internal security threats, which may be due to negligence or incompetence on behalf of an employee, contractor, or other person within an operation.
- Policy enforcement – this is used to gauge the effectiveness of internal monitoring for compliance with IT security policies.
Ponemon uses 24 individual attributes, which fall into one of these six dimensions, for his security effectiveness score. Dr. Ponemon has found that organizations that consistently perform well when graded on these 24 attributes are far less prone to breaches and other security incidents.
What is interesting about those 24 attributes is that 75 percent are tied to security-awareness behaviors. The only way to successfully ensure that staff is competent in the areas covered is through regular training.
Why Use an External Provider for Annual Training?
To maximize the benefit and minimize the resources needed to maintain a yearly training program, an organization should give serious consideration to employing a vendor whose sole focus is on IT security training. These training firms have the training collateral prepared, which can be easily tailored to fit a specific firm’s needs. This saves time and money, as a quality security vendor will have existing mechanisms and arrangements in place, negotiated at the best price, to prepare any necessary training materials.
Because an IT training firm specializes in the arena, they remain current on laws, regulations, and best practices. Using their services spares an organization the cost of researching any changes that may impact its operations.
Employing an outside firm to conduct training brings the experience and knowledge gleaned from training initiatives undertaken at other firms by the provider. Often, an organization’s training needs are similar to ones that the trainers have seen at other institutions, so they can quickly identify what is required and how to best accomplish it. Trainers will frequently provide insights into other IT initiatives, which may not be covered by routine training, but will be helpful nonetheless. It never hurts to get a set of outside eyes on an operation, as they may offer significant benefit.
Annual IT Security Awareness Training Is Worth the Cost and Effort
For all the reasons discussed here, and more, investment in annual IT security awareness training is prudent for any firm. There is far too much at stake for a firm to risk a lapse in security awareness among its employees.
Most IT workers understand the need for annual training and the case for these programs usually has to be made for management, which authorizes it, or for the employees undergoing training. It is therefore important for managers and employees to understand why a firm is investing in annual training, and to have an idea of what sort of investment is being made and the ramifications of failing to invest. This will help to persuade management to write the checks. Employees who understand that their livelihood may be at stake, as a security incident could interrupt revenue streams leading to layoffs or even the demise of a firm, are more apt to wholeheartedly embrace the annual training program.