Security awareness training should be an integral part of an organization’s cybersecurity road map. We’re constantly reminded of the importance of security awareness training as we read in the news about new security and data breaches with more and more frequency. The Office for Civil Rights (OCR) recently issued new guidance on Health Insurance Portability and Accountability Act (HIPAA) security awareness training requirements. The OCR Cyber Awareness Newsletter, Issue 17, describes the guidance and reinforces the need for a mature, engaging, and responsive security awareness training program.
You’ve probably heard, seen, or said that users are the weakest links within cybersecurity. The numbers back up that claim. According to the Verizon 2017 Data Breach Investigations Report, 43 percent of breaches originate from social attacks, and 90 percent of those take the form of phishing.
But what if we took a step back and imagined the users as assets instead of as liabilities? What if we approached security awareness training in a way that engaged users and got their buy-in?
Limitations of traditional training include the inability to connect with the user, treating the user as the problem, and thinking a one-size-fits-all program exists. Users are human, and as humans, we often seek social interaction and the ability to find relatability in our everyday lives.
One thing is certain: Slide deck and slide deck-driven computer-based training (CBT) is neither engaging nor lasting. When developing or improving security awareness training programs, organizations should focus on offering programs that connect with the end users in substantive ways. Training needs to be interactive, fun, and memorable. These qualities can be accomplished through a few different approaches.
One size does not fit all when it comes to training. Some individuals learn best by being challenged, while others learn better through reading independently. Understanding that users have different learning styles is key in setting up an effective security awareness training program. Though it’s not possible to tailor a single training program to every single learning style, organizations can still develop training programs based on shared characteristics.
Keep in mind that the end goal of security awareness training is to educate your end users and to turn liabilities into assets. If you can connect with your users in a meaningful way through an engaging, impactful program, you’ve accomplished your goal.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal
As of Oct. 30, 2017, the professionals of Rowbotham International have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on domestic and international tax and audit compliance services, as well as advisory services.