Carol
Hi everyone, and welcome. Today we’re talking about one of the most overlooked yet critical components of any company’s cybersecurity strategy, and that is security awareness training. I’m joined by Eric Hammond, data center technical manager at MIS Solutions, who’s here to explain why security awareness training isn’t just a nice-to-have, it’s a must for protecting your business, especially as cyber threats continue to rise.
So today, we’ll cover what makes a great training program, how it helps defend against real-world attacks, and why insurance providers are starting to take it seriously, too. So welcome, Eric.
Let’s start by going over why is ongoing security awareness training more effective than just doing it once a year? Yeah,
Eric
That’s a great question and a good starting place for the discussion. One thing to remember is that cyber threats are constantly evolving. We’re not getting hit with the same emails about a Nigerian prince wanting to send us millions of dollars, right? The cyber threat landscape has changed. Well, so must our training. We have to constantly evolve the training pace. We have to enforce through repetition, right? And so, we need to have constant training, you know, instead of a one and done mentality, right? We’re just checking the box. We did it for the one time. One time for the year. We need to have constant, reinforced training, right? So, this actually builds a culture of security, right? Another thing to think about is what we call micro learning. And there are periodic phishing simulations that most people are pretty accustomed to at this point. They might get a monthly, quarterly or whatever, right, but these are to make sure that, hey, is the information that we’re consuming when it comes to our training program actually sinking in? Is it actually working right? And so, it’s those components that really go into a good security awareness program.
Carol
What are some of the most common types of cyber threats that security awareness training helps protect against?
Eric
They really revolve around a couple of main topics. The first would be really related to email. So we’d be talking about phishing, spear phishing, business email compromise, right? Those would be a couple of the main ones. But also, we don’t forget about just your run-of-the-mill, social engineering that may have nothing to do with technology at all. It could be a phone call. It could be a text message, right? No one’s credentials were compromised, right? Just got a phone call from someone trying to scam you, right? And so it helps protect against email attacks. It helps protect against social engineering, which is often what is included in a security awareness training program. Another thing that is very helpful, and a component or part of these programs, is teaching us about password hygiene, safe browsing habits, and mobile device security.
Carol
You mentioned social engineering, and I think I read somewhere where AI is really helping criminals to up their game?
Eric
Oh, without a doubt. So that’s security awareness training address. It does absolutely and it’s, it’s, and that’s one thing. If you’re looking at trying to find the right security awareness training program for your company, you need to be thinking about those things. We know we’re using AI in our daily lives now, and so so are the threat actors out there.
Carol
So, how are cyber insurance providers responding to the importance of employee security awareness training?
Eric
They’re actually doing it in a couple of ways. One of the most meaningful ways is that they’re requiring security awareness training as a condition for being underwritten for insurance, as a condition for coverage, right? It could also affect your premium if you don’t have it implemented. And it’s also not just do you have it? Check the box. It’s let me see evidence that your users are actually taking the training. Not that you’ve assigned them the training but are you actually doing it. And so, if the insurance companies paying out these claims find it that important, that should tell you something. So should we, right? So again, it could be tied to premiums and some providers, you know, like I said, they’re asking for this evidence. It wouldn’t be out of the realm of possibility for you to get an email from your insurance provider when it’s time to renew, saying, okay, “hey, let me see a report that shows these exams assigned and taken. Okay?”
Carol
So, you can’t just say “yeah, we’re doing it.”
Eric
Five years ago, you could. Not today.
Carol
So, what should a good, security awareness training program include, and how can small businesses implement it without breaking the bank?
Eric
It needs to have a combination of interactive modules, right? Man, look, we all love the videos. I’m joking. We all hate videos, right? It’s just it is what it is. But you need a good combination. Need some interactive modules where you’re actually interacting with the training. You need some videos, right? It’s just part of it. You need a more holistic approach. And so, yeah, it’s interactive modules. It’s real-world phishing tests, right? To actually see if our folks are consuming, digesting, and taking in this information, this training, right? And it needs to be a tool that updates their training, right? We’ve talked about this a few times, but if you see that they haven’t updated their training in 18 months or a year, whatever, that may not be the program for you, right?
And I will say that MIS Solutions, you’re very much aware of this, we use a product called KnowBe4. KnowBe4 is cost-effective. It’s very user-friendly to set up. I’m not getting paid by Knowbe4, but I do like KnowBe4.
Carol
Well, they’ve been around forever.
Eric
That’s right.
Carol
So, Eric, thanks so much for sharing those insights. And if you’re a small or mid-sized business, don’t wait for an incident to start educating your team. Make security awareness training a part of your culture now, and until next time, stay cyber smart.
Share:
