Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

What is Cyber Awareness Training & Why is it Important?

 

I remember attending a university lecture in 1983 and being told that IT was going to get easier and that AI was going to replace humans. Any time now, they said.

Well, here we are forty years later and IT is as complicated as it’s ever been, and those pesky humans are still around. Granted, AI seems to have broken out of its ivory tower in the last couple of years, but we still have some way to go before those living, breathing people are no longer key to running businesses worldwide.

The Human Challenge

From a cybersecurity point of view, this reliance on humans gives us a challenge for a number of reasons:

  1. People are great, but they can be unpredictable. Employee performance depends on a vast array of changeable factors, such as coffee, hunger, energy levels, mood, sleep and motivation to name but a few, and if these are combined, people can make mistakes.
  2. We really need them to know relevant stuff. When humans are delivering vital aspects of your business processes, they need to be aware of a scary number of issues such as privacy law, technology, policy and procedure.
  3. Sometimes they are easy to fool, if you’re sneaky. People like to trust people. We’re not a naturally suspicious animal and so when someone tells us something, our default reaction is to take it at face value.
  4. They often have access to lots of valuable data. Because humans are key to getting things done, they need to have the necessary tools to create, delete and change things. And usually this power increases the higher up the organization tree you look.

Given this combination of factors, it’s no surprise that people are often the target of those looking to harm the organization in some way, whether their aim is to hold it to ransom, steal data or sabotage it.

Why Should an Organization Care?

A number of things can happen when people either don’t do something they should have done, or do something they shouldn’t have done.

  • The law may be broken – regulations such as the GDPR and HIPAA have strict requirements regarding how personal data (including health data) must be handled, and someone who isn’t fully aware of these can drag the organization into non-compliance, resulting in complaints and possibly fines.
  • Mistakes can happen – one of the most common causes of data breaches is a person simply getting it wrong. They don’t mean to slip up, but sending data to an incorrect email address or including hidden data in a spreadsheet happens all the time.
  • They let others in – clicking on a link in an email or resetting a password on a bogus website can open the door to malicious people who will do massive harm to the organization and its reputation.

Policies are not enough

The rules regarding how things should be done are usually set out in a collection of policies, on subjects such as email, Internet usage, social media and mobile working. This is a good thing, because it shows that the organization has thought about the topic and taken the time to define its approach. However, a policy has little or no effect if it isn’t communicated properly to the people who are supposed to follow it. This means new starters as well as existing employees, and don’t forget that any changes to the policy will need to be re-communicated too.

People are different, and they forget

It’s no exaggeration to say that everyone is different, and that (for reasons we explained earlier) they vary a lot from day to day. The human brain is a marvel that is capable of remembering an astonishing variety of facts but sometimes old facts get pushed out over time to make way for new ones. So expecting an employee with a busy life to retain the rules about using WiFi outside of the office forever is probably unreasonable. This means that key messages need to be repeated at regular intervals to ensure that they become as entrenched as possible in the face of competition.

Levels of existing knowledge will also vary widely, so it’s helpful to be able to tailor your messages according to the areas that are weakest, whether that’s data protection, cloud security or social media. This kind of tailoring is often referred to as “Human Risk Management”.

Security Awareness Training

To keep these lovely people, who do such a great job of running your organization, focussed on information security issues is a tough job. You’ll need to approach the problem from a number of different angles and you’ll need to be persistent.

We recommend the following methods:

  • Assess each person first, to find out what they already know, and where the gaps in their knowledge are.
  • Provide regular awareness training activities, such as short videos, that focus on the areas of greatest need for each person.
  • Check understanding with a short test after each video, and keep track of the results.
  • Once you’ve created your topic-specific policies, communicate them over time to each person that they are relevant to, and get them to electronically sign to say they have read them.
  • Monitor the effectiveness of your efforts by simulating phishing emails to see who still clicks on the links or provides their passwords. Provide extra training resources to those that do.

Our Cyber Awareness Training Platform automates all of these functions so you don’t have to worry about it, simply subscribe your employees and the platform will deliver the training and provide real-time progress reports.

Don’t forget that awareness training is a requirement for many standards such as ISO/IEC 27001 and the NIST Cybersecurity Framework, so it’s important to get on top of it.

Summary

Humans get a bad press sometimes as “the biggest risk in information security” but let’s not forget that without them organizations would struggle and, until AI fulfils its promise fully, we should celebrate and appreciate them. That’s not to say that we shouldn’t also implement as many controls as we can (such as email filtering and awareness training) to make it less likely that their mistakes will result in a cost the organization.

But for now, it’s all about awareness.

 

Written by Ken Holmes, CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).


Protect your organization with CertiKit's Cyber Awareness Training Platform

Subscribe to our Cyber Awareness Training Platform to calculate, reduce and monitor human cyber risk within your organization.

The annual subscription service, priced per user, gives your team access to a comprehensive set of online tools that allows your organization to improve cyber awareness, identify knowledge gaps, tackle individual risk areas, monitor employee progress and demonstrate compliance.

The platform subscription includes:

  • Cyber Security Awareness Training – Interactive training courses that cover core infosec and compliance topics.
  • Phishing Simulator – Trackable simulated phishing campaigns with ready-made and custom templates.
  • Breach Monitoring – Dark web scanning that detects exposed user data that could be leveraged for a cyber attack.
  • Policy Management – Centralised mechanism that simplifies and tracks policy reviews and approvals.
  • Human Risk Scoring – Real-time reports of individual and company-wide risk scores.

 

Find out more

We’ve helped more than 7000 businesses with their compliance

Testimonials

The toolkits are very clear and easy to use and probably the best examples out there for these standards. Easy to adapt or add details to, to reflect your own processes and procedures.

Aberdein Considine
UK

View all Testimonials