Unrivaled Cyber Security Awareness Training for Employees

The human factor in cybersecurity refers to the impact that an organization's employees, contractors, and third parties have on the cybersecurity of the organization, its information systems, and data. Although an organization's people are its greatest asset, they also can be one of the most significant vulnerabilities. Some common employee cyber errors include clicking on phishing links or opening malicious email attachments, sharing passwords, losing mobile devices, and putting sensitive information in the cloud. The best protection against human error is an effective cyber awareness program.

The human factor, or people, are the greatest cause of data breaches. The human element was involved in 85% of all breaches, according to the 2021 Data Breach Investigations Report (DBIR) from Verizon.

Before people can protect against cyber threats, or prevent their own cyber security mistakes, they must understand what the dangers are, why they matter, and what they can do to protect against cyberattacks and cyber security incidents. Cyber awareness training is the best way to teach employees about information security best practices, how cyber attacks happen, the consequences of human error, and to provide employees with the critical cyber security skills necessary to protect your organization and be cyber secure, both at work and at home.

1. Get buy-in from executive management and their active participation in your cyber awareness program; it is key to the program's success
2. Appoint a skilled, energetic, and effective training program manager
3. Layout objectives and goals for your program
4. Provide regular security awareness training that is both effective and focuses on the learner
5. Create a culture of security so that employees can freely ask questions, as well as report incidents and mistakes
6. Utilize multiple forms of awareness outreach in addition to training
7. Ask employees for training feedback and incorporate their suggestions

There are five types of cyber security education given to employees:

1. Security Awareness Training. Teaches general cyber security principles to all employees. You'll see this type of employee security training called by many other names, including cyber awareness training, cyber security awareness training, employee cybersecurity training and information security awareness training.
2. Phishing Training. Focuses solely on teaching employees about phishing and how to avoid phishing attacks.
3. Role-based Security Awareness Training. Targeted training that focuses on a specific job or role that an employee has; for example, system administration, management, or customer service.
4. Information Security Training, also known as IT Security Training or Infosec Training. Designed to teach security staff, engineers and developers about technical aspects of cybersecurity, covering topics like secure coding practices, cyber attacks against infrastructure, and common vulnerabilities in technology.
5. Information Assurance (IA) Training. IA Training is cyber security training provided to government and military staff and contractors. The primary focus of IA Training is the protection of information, software and hardware.

• Robust, relevant material covering key cyber security topics
• Use of games and other forms of interactive training
• High quality, engaging content
• Teaching of cyber skills, not just awareness
• High employee satisfaction
• High employee participation

1. Phishing and email security
2. Social media / social networking
   
3. Mobile security
4. Information protection
5. Incident reporting
6. Password security and password management
7. Social engineering
8. Insider threat
9. Cloud security
10. Office security and clean desk policies

An extra 11th topic is remote work security, which is an essential training if employees work remotely or are in hybrid office environments.

Training should be provided frequently so that it reinforces learning, and cybersecurity training is no exception. Employees should receive cyber awareness training on a regular basis. Brief training delivered monthly is an ideal balance between keeping cybersecurity top-of-mind, and having a minimal impact on employees' work productivity.

We've compiled a short list of some of the best web resources for eLearning and employee training. These websites provide information and resources on learning strategies and skills, eLearning theory, industry trends, workforce training, as well as new ideas for eLearning content and programs.

Learning Guild (formerly the eLearning Guild), eLearning Industry and eLearning Learning are all respected eLearning websites offering a wide array of resources, including thought leadership, white papers, eBooks, blogs, webinars, and podcasts. ATD (Association for Talent Development) is a professional organization for furthering skills in training and development. Training magazine and Chief Learning Officer are multimedia platforms providing resources aimed at training professionals and on the benefits of a properly trained workforce. Finally, the Harvard Business Review provides a wealth of information on business and management topics, including on eLearning, psychology, and marketing.

Cyber security terms, also referred to as cybersecurity terms, are words or phrases that specifically relate to the field cyber security, also referred to as cybersecurity.

There are two complimentary but different types of phishing training (also known as phishing awareness training.) The first and most common type of phishing training, called phishing testing, uses a phishing simulator to teach employees not to click on phishing links or open malicious attachments by running simulated phishing campaigns. Brief follow-up training is given to employees who fall for the attack. The second type of phishing training is a phishing awareness course, which provides much deeper training on what phishing is, the phishing tactics that phishers employ to manipulate their targets, and techniques on how to identify and avoid phishing scams. After completing a phishing awareness course, employees are better prepared to handle both current and evolving future phishing scams.

Phishing has become the preferred type of cyber attack for hackers to compromise public and private sector organizations, as well as individuals. Even with the sophisticated phishing protection software and systems that organizations deploy, phishing attacks still get through. This trend has only accelerated as more employees work remotely or in hybrid office environments where organizations have even less control over employee behavior. Therefore, it is essential to teach employees to defend themselves and their organizations against phishing, by learning how to identify, and not fall victim to, phishing attacks. This is exactly what a phishing test is designed to do.

A phishing simulator is an anti-phishing software or service that is used by organizations to measure the vulnerability of their staff to phishing scams by running simulated phishing campaigns. A phishing simulation mimics a real phishing attack by sending phishing tests to employees. The purpose of phishing simulations is to teach employees how to spot a phishing message and not fall victim to a real phishing attack. Most vendors offering phishing simulation services offer the following capabilities:

• A pre-built catalog of phishing templates or the ability to create your own phishing templates
• Ability to send phishing emails to the entire organization, or to target a specific group or individual
• Track employees' interactions with phishing tests, including phishing email opens, clicks and replies, phishing attachment opens, and web form fills
• Provide vulnerable employees, those that fall for phishing tests, with immediate, real-time training related to the specific attack
• A dashboard with phishing reports that graphically represent current and historical phishing campaign statistics

Cybersecurity frameworks, standards and controls help organizations manage risk; some well-known and trusted sources include: ISO 27001, System and Organization Controls (SOC), NIST Cybersecurity Framework, and CIS controls, and COBIT. The OWASP Top Ten provides guidance to organizations and developers on web application security.

An information security policy, or cybersecurity policy, is a policy that sets out the requirements for protecting information in an organization, including the types of information and systems that need to be protected and the ways in which they are protected. Information security policies may apply to people, processes, or systems; policies also may be organization-wide, or apply only to a specific subset. Various governmental regulations and industry standards require organizations to have information security policies, both in place and in practice, as part of compliance.

Security Mentor aggregates current cybersecurity statistics and trends on the human factor, data breaches, cybercrime, phishing, remote work, ransomware, passwords, insider threats, the COVID-19 pandemic, and much more. We also aggregate statistics and trends by industry vertical including, Financial Services, Healthcare, and Energy & Utilities. To see our report, go to Security Awareness Training Statistics & Trends: 2020-2021 Edition.

Security awareness materials are designed to raise the awareness of and remind employees about common cyber threats and how to protect against them. Cyber security awareness materials often address topics like phishing, password security, office security, lost or stolen mobile devices, and the exposure of sensitive information. Awareness materials also provide a different media for training that may be effective at reaching employees who are visual learners. Finally, alternate forms of training are required for some regulatory compliance, for example PCI DSS, which requires multiple forms of security awareness and training.

Common types of cyber awareness materials include posters, newsletters, cartoons, wallpapers for operating systems (also known as desktop wallpaper or desktop backgrounds), screen savers, even swag like clothing and mugs. Awareness materials can be recurring such as newsletters and posters, or a giveaway for a special event such as part of Cyber Security Awareness Month.