In 2021, experts estimate there will be a cyber-attack incident every 11 seconds.
That’s twice what it was in 2019.
And four times the rate five years ago.
These shocking statistics probably aren’t even that shocking. Every Director knows that security is a pressing issue. It’s a topic of conversation in every board room and a significant budget has been allocated to invest in various security measures and solutions.
However, there’s a weak link in the business which is often overlooked. Your employees. While they might not mean to put the business at risk, their actions can do just that.
From clicking on links in phishing emails and actioning fraudulent bank transfer requests, through to connecting to insecure Wi-Fi networks and sharing personal data incorrectly. All these actions can result in a breach or successful attack, causing financial and reputational damage.
Most employees are not malicious, they simply are not aware of the risks. They don’t understand that they are a target, and they don’t know how to spot the danger signs. Many don’t understand that security is their personal responsibility and even fewer understand sensitive data privacy best practices. Thankfully, this can be easily addressed with effective security awareness training. In this article, we will cover the benefits and types of security awareness training, as well as best practice tips to follow for an effective program.
What is security awareness training?
Security awareness training is designed to educate employees about the important role they play in helping prevent information breaches. It provides formal education about the type of risks facing the businesses, how employees might interact with them or be targeted by them, and how their actions can have a positive or negative affect.
‘Real-life’ scenarios – for example, demonstrating how their response to a phishing email could cost the business thousands of pounds – are often included to drive the message home and show the employee what a breach would feel like.
Quizzes, questionnaires, and games can also be used to test employees’ knowledge post-training and identify any weak spots. There are also various online systems that train and test employees in an automated manner, flagging those users who need additional focus and training.
Why is security awareness training important?
Security awareness training ensures everyone in the business is aware of the threats and how they might present themselves. It helps build a security-aware culture and encourages everyone to follow best practice. For example, instead of the accounts department immediately actioning a bank transfer due to an email from the Financial Director, they know to double-check the request with another method (e.g., a call, a Teams message).
A more security-aware culture will significantly reduce the chance of a successful attack against your business. Research found that security awareness training could reduce the threat of socially engineered cyber threats by up to 70%
Training is also a requirement for compliance purposes in certain industries. The Financial Conduct Authority (FCA) states:
“Firms of all sizes need to develop a ‘security culture’, from the board down to every employee. Firms should be able to identify and prioritise their information assets – hardware, software, and people. They should protect these assets, detect breaches, respond to and recover from incidents, and constantly evolve to meet new threats.”
Types of security awareness training
- Phishing – Trains employees on how to recognise potential phishing messages by demonstrating what could happen if they respond to one.
- Passwords – Promotes password best practice, ensuring strong passwords are created and are not used across multiple accounts or shared with others.
- Privacy PII – Shows employees how to protect personal information in the business, including clients, prospects, colleagues, and partners.
- PCI Compliance – This training is required to comply with the PCI DSS (Requirement 12.6). Educates staff on the requirements, roles and processes and demonstrates the severe financial and reputational damage of a payment card data breach. Reinforces best practice to help staff actively keep card data safe and reduce the likelihood of a breach.
- Ransomware – Demonstrate to employees just how easy it is to be attacked and the destructive consequences.
- CEO/Wire Fraud – Fraudulent emails designed to trick the employee to think they are responding to the CEO (or another senior executive), which shows them how easy it is to be conned. Helps employees to recognise the first signs of risk and encourages the practice of double-checking when unsure how genuine a request is.
- Data in Motion – Teaches employees data security best practices to ensure vulnerable data is not put at risk. Highlights the dangers of behaviours such as sending company attachments to home email accounts, copying company data to personal cloud storage, plugging ‘found’ USB drives into company devices
- Office Hygiene – Educate employees on the importance of physical security, demonstrating the risk of unsecured paper, unlocked screens, open buildings and more.
- GDPR – Ensure all employees are aware and understand data privacy rights – and the severe penalties for breach or non-compliance.
- Social Engineering – Train employees on the various methods and guises hackers may use to gain illegal access to their computer, including phone, email, mail or direct contact.
How often should train employees?
Ideally, every four to six months. There are various software solutions that test and train users more frequently than this, perhaps weekly, however they do not cover all areas of cyber-security.
Research found that after four months, employees were easily able to spot phishing emails but after six, they began to forget the learning. Although this research was specifically about identifying phishing emails, it can be applied to all types of security awareness training.
However, it is up to you to determine the right cadence. Use this timeframe as a starting point. In the beginning, you may need to test employees more frequently.
The key is to strike the right balance. Employees need to be informed and educated, but you want them to be proactively engaged. Training that occurs too frequently risks becoming a chore and treated as a tick box exercise. Employees rush to get it done, rather than engage with the learning, as they know they will have to do it again in a few weeks.
How expensive is security awareness training?
The cost of security awareness training will largely depend on the provider, the type of training and the number of employees. Some providers often tiered pricing with different training methods at each tier. As an example, some of the automated training and testing systems for training users, particularly around phishing and ransomware can be in the region of £12 a year per user.
However, with the average cost of a data breach $3.86 million, the cost of your training program will unlikely ever come close to the cost of a successful data breach. In fact, research shows that employees with less than 1,000 employees will see an ROI of 69% from a security training program.
Best practice tips for an effective training program
Effective training needs to deliver the right information, at the right level, at the right time.
1. Repeat, repeat, repeat
Staff will only recall approximately 90% of training after a month. So, a programme of sustained and repeated training is the best way to ensure knowledge retention.
Plus, the cyber-security landscape is rapidly and constantly developing. New threats occur all the time and you need to equip your staff to deal with them.
2. Gamify your training
Mandatory training can seem dull, leading employees to switch off and become disengaged. You need to ensure these important messages are hitting home. Experiential learning through game-like approaches can help some staff members remember things more effectively.
Studies show that using humour and entertainment in the training process boosts engagement. Nearly 60% of employees prefer training which mixes serious and entertaining content.
3. Break training down into manageable chunks
Hours of back-to-back training is unlikely to engage anyone. In fact, your employees will probably just see it as another ‘tick box’ chore – not ideal for building a security-aware culture. Instead, break your training into bite-size chunks, spread out across the year.
4. Try different methods
Employees all have different methods of learning. What suits one may not suit another, so it’s important to switch up training delivery. Posters, books, quizzes, games, interactive demos and small group training are just some of the ways to educate employees. Unfortunately, you can’t just buy an online training and testing package and believe that’s your training box ticked.
5. Cover a range of topics
While phishing is a top attack vector, it’s important that your training does not focus solely on one area. You need to educate your employees on a wide variety of topics, including those which they might not connect directly with the workplace. For example:
- Not to overshare information on social media
- Dangers of public Wi-Fi and how to use it safely
- Not to plug unknown USB devices into corporate devices
- How to manage passwords
If you’ve ever had to request budget from the board or tried to get buy-in for an IT project, you will know how difficult it can be to get the board engaged with IT. Despite the critical role IT plays in operations, too many senior executives still see it solely as a cost to the business rather than as a competitive advantage.
Research shows that regular conversations between IT and the board actually decreases IT and cyber risk, while increasing innovation and IT project ROI. These achievements improve the more frequently the conversations occur. Conversations that occur every quarter hold more value than those held bi-annually or annually.
However, getting these conversations to happen in the first place is often the most difficult part. IT Managers can struggle to get their voice heard at board level and IT often does not feature on the agenda as often as it should. Part of the problem is this often requires a change in culture, but the good news is IT Managers can facilitate this by framing their conversations with the board in the right way.
3 strategies to engage the Board of Directors with IT
Most organisations spend a significant portion of their revenue on their IT, so they need to be sure that it is being invested wisely and delivers a return for the business.
This can only happen when senior executives fully embrace the potential of IT and view it as a strategic asset. While it’s important that IT has a voice at board level, the conversations themselves need to be effective too. We’ve compiled three best practice tips to help IT Managers frame the conversation in a way the board will engage with.
1. Make Technology a Routine Part of Conversation
IT Managers need to think strategically about how they can navigate technology conversations with the board. Assess the levels of technical knowledge and understanding to determine whether an educational component is required and build conversations accordingly.
Some members of the board may be more technologically-savvy or be more. Identify these allies and build relationships with them as they can help you garner support for IT investment and focus from other members of the board.
Consistent communication is key so ensure IT features as standing item on the agenda or designate regular meetings where you can focus solely on IT. Strike the balance between protection and growth and build a narrative which focuses on the short term (6-12 months) and the long-term (5+ years).
Any conversations about long-term strategic planning should be a collaborative effort. IT Managers should be fully briefed on the intended strategic direction of the business so they can educate the board about the relevant risks, opportunities, and industry changes, ensuring the IT strategy supports the business objectives and the budget is allocated effectively.
2. Demonstrate the business value of strategic IT investment
You will need to make the case for IT investment, so be prepared to convey the financial, operational and reputational benefits. Back your pitches with data and present the information clearly and concisely e.g., by utilising dashboards and scorecards.
You may need to ‘connect the dots’ and give context to the risks facing the business. If board members do not understand the mitigating effects of benefits a particular solution or service will deliver, they may not be willing to allocate the funds. For example, data security might be a concern for the board, but they may not understand why the business is a target, where they are vulnerable, the effects a successful attack can have and how it can be prevented. Take into context the board’s own appetite for risk and align your recommendations and scorecards to reflect this.
Budgets can vary widely so you may wish to present a shortlist of options to the board. However, if you do decide to do this you need to ensure the board is fully aware of the limitations of each one, so they do not decide based purely on flat costs.
3. Focus the conversation on the right topics
Try not to get bogged down in the technical detail during conversations with the board. It’s unlikely that their level of technical knowledge will match your own, so they will be less likely to engage if it doesn’t seem directly relevant to the business. Instead, focus the conversations on the potential impact and deliverables of IT.
Performance
Ensure that the board understand how IT can positively or negatively impact the performance of the business.
- Financial – Link technology investments to financial performance such as profitability, margin and revenue. Demonstrating the positive impact can help the board see IT as more than an operational cost.
- Operational – Demonstrate how IT can improve the efficiency of operations and free up budget for innovation and business transformation. This may include things like automating processes, replacing legacy systems, and embracing cloud services. IT Managers can support this process by measuring, reporting, and discussing the impact of technology-driven business transformation.
Risk
Ensure the board keeps up to date with current and emerging threats, be it cyber-attacks or disruptive technologies. IT Managers can help develop the risk appetite and measures to prevent unnecessary risks from being taken. IT and Business must be wholly aligned on risk appetite levels to ensure neither side make inappropriate risk management decisions.
- Cyber Risk – Businesses must be able to protect their assets from cyber-attacks if they want to achieve strategic goals. IT Managers have the responsibility to educate the board on current and emerging risks, the potential threat to the business and remedial actions.
- Regulations – Technology can help businesses comply with regulations, but it also the subject of regulations itself – such as data privacy. Boards need to be aware of how technology can speed the process of meeting compliance policies, as well as where regulations may require additional investment or affect company priorities. Conversations should focus on the positive and negative implications of the regulations, the opportunities for rationalisation and any other business impacts.
- Industry Challenges – New technologies can topple a company’s competitive position and business models. Help board members understand the risks and opportunities of technology-driven industry disruption to ensure the business doesn’t fall behind.
Strategy
IT Managers should help guide the overall business strategy by educating board members on the strategic potential of IT and other disruptive technologies
- Innovation – IT Managers can help create a bolder risk appetite by demonstrating how the effective use of technology can result in business growth. Successful innovation requires a culture of continual incremental improvements. Boards need to give IT Manager the opportunities to test, experiment and analyse.
- Data – Help the board understand how technologies such as machine learning, natural language engines and AI, can help businesses better collect, process, and analyse customer data. Highlight how this data be used for more effective decision making and monetised for business success.
- Client Experience – Customer demands are constantly changing and increasing. Businesses need to keep pace with this is they want to both attract new customer and retain their existing ones. Service levels are a key battleground. As service levels increase across all industries, tolerance levels have declined, and customers are no longer prepared to accept reduced levels out of brand loyalty. IT Managers can help the board meet these challenges by showing how to leverage technology to proactively anticipate and address customer needs. These conversations can help ensure the pace of technology change aligns with customer readiness.
Strategic development for IT Managers
IT Managers have a huge wealth of technical experience and understanding, so it makes sense why they are often heavily focused on the technical details.
This knowledge is highly valuable to a business, but it doesn’t always translate to the board. If they do not understand, they will not engage. They need to see the business benefits of investing in IT. Requesting budget to replace an old server, for example, is not enough. However, if you explain that the new server will help increase resilience, availability, and network performance, and enable employees to deliver faster customer service, the board can begin to understand the ROI of that investment.
If you’re used to focusing on the technical details, then framing conversations in this way can feel a little uncomfortable initially. IT Managers who want to take a more strategic standpoint should seek out additional training and mentorship from experienced CIOs and IT Consultants. A dedicated Coach can give IT Managers advice and direction, provide education (where required), share knowledge and best practice, help develop a commercial mindset, and talk through challenges faced by the business and how to overcome them.
Challenges for IT Managers
While this change in perspective is positive, it does mean the scope of an IT Manager’s role has increased considerably and, with this, come new challenges to address.
1. Big data
Businesses are generating more data than ever. Unfortunately, most of this is unstructured so it can’t really add any value. Transforming this data into measurable and actionable insights is one of the largest challenges facing IT pros but get it right and it has the power to completely transform a business, giving greater insight into operations, customers and the wider marketplace.
2. Asset and data management
The ever-increasing number of devices in the workplace means more monitoring and maintenance. To effectively and safely deal with this, it’s crucial that the IT strategy includes appropriate information governance programs and mobile device management policies.
As well as managing the known hardware, IT Managers must also be aware of the threat of the unknown. Shadow IT, hardware and software used by staff without the IT department’s approval or knowledge, is an increasing problem in mid-market businesses. In fact, it’s estimated that the number of software programs in use is 14 times higher than thought. This can include things like using cloud file stores like DropBox or Google Drive to share files, personal instant messaging apps or online CRM solutions.
3. Data protection
Forward-thinking mid-market businesses will have already taken a ‘privacy by design’ approach, but meeting regulatory and compliance standards around data protection is a continuing concern. Customers demand – and expect – their data to be private and secure, and any potential threat can easily drive them to a competitor.
4. New technologies
While keeping up with new technology is a challenge, a greater one is working out what’s the best fit for the business and communicating the reasons why to senior leadership.
This can be a particular problem for IT Managers who don’t have a seat on the board. It’s all too easy to get swept up by the wave of new, shiny tech and become concerned that your business is missing out because others appear to be investing. Yet this is exactly the type of spend that puts the business at risk and, in turn, creates ‘bad feeling’ towards IT. It’s crucial that IT Managers advocate for ‘a seat at the table’ to address the challenge of new technology and use their experience and expertise to guide the business towards effective investment.
5. Evolving cybersecurity threats
Cyber-security is a huge challenge, with attacks constantly growing in size, sophistication, and frequency. This rise coupled with rapidly deployed remote working solutions during COVID has led to new risks being introduced to IT environments that quickly need evaluating and controlling.
Businesses cannot take this threat lightly, as it presents a financial, reputational and operational risk. However, it’s also the area with one of the largest skills gaps – there simply aren’t enough IT security professionals worldwide to meet demand. In Europe alone, the cyber-security skills gap doubled in 2019 and two-thirds of organisations have reported a shortage of skilled or experienced security personnel.
As cyber-security is such a vast and rapidly developing area, it can be difficult for IT Managers in mid-size companies to keep up with all the latest threats whilst also managing day-to-day activity, projects and continual improvement. To address this challenge, IT Managers should consider deploying advanced technologies and services, such as SIEM and MDR, and explore co-sourcing to obtain specialist cyber-security knowledge and experience.
6. Mobile device management
BYOD is nothing new, but the introduction of multiple corporate and personal devices into the workplace during the pandemic continues to cause issues for IT Managers. The threat landscape and companies risk profiles have grown significantly and controls and so has the need to control it. Keeping users productive and engaged whilst working fulltime is going to need some focus and strategy in the medium and long-term.
7. Skills gap
IT Managers not only have to contend with a cyber-security skills shortage but, overall, there is a general gap when it comes to tech and IT skills. This has been partly driven by the breadth and pace of innovation, but also because businesses are beginning to recognise the notable role technology plays in attaining their strategic objectives and require a different skillset from their IT pros.
Businesses attribute skills gaps to lower staff productivity, fewer sales, a lack of innovation and new product development and increased operating costs. Yet, despite recognising the harm it causes, few have the processes in place to address skills gaps and do not offer formal training to technical employees to upskill.
These gaps will only continue to grow and cause further harm unless action is taken. IT Managers must convey to senior management the value of continual and strategic training for technical employees and secure budget to ensure this can happen.
However, even with training, it’s unlikely that one or two IT professionals will be able to meet all the technical and strategic skill requirements of a mid-sized business unless you’re solely focused on ‘keeping the lights on’. It can be prohibitively expensive to build out a large internal IT team and retain individuals for the long term, which is why IT managers often turn to co-sourced IT support as a way to gain the specific skills they need, often at a fraction of the cost.
8. Cloud computing
The fallout from the pandemic is only expected to further accelerate the move to the cloud and between cloud platforms, such as a shift to hybrid public and private environments. The flexibility, scalability and potential of different cloud platforms are just too greater opportunities to ignore. However, it’s important that IT Managers oversee the selection process to prevent rash decision making and budget wastage.
For those exploring new cloud-based services, it’s essential to consider security across multiple platforms. Traditionally, multiple clouds meant also managing multiple inconsistent and incompatible security systems. Now, a better option would be a cross-cloud, cloud-agnostic security platform which ensures complete enterprise-wide security, regardless of asset location.
9. Digital transformation
Digital transformation is complex, and it can be difficult to achieve success. Yet in order to prevent savvy competitors from overtaking them, businesses really need to focus their efforts in this area.
Projects or initiatives often fall on IT Managers because they’re seen as ‘tech’, but in order to achieve a successful digital transformation, the entire senior leadership needs to be engaged, establishing a clear reason for transformation and fostering a sense of urgency for making changes. The challenge for IT Managers lies in driving forward this behavioural change so digital transformation is seen as a much wider piece.
10. Hiring and retaining talent
The high demand for specific skills and a lack of suitable candidates results in fierce competition, which can make it difficult for mid-sized businesses to retain their technical talent. It’s not just a higher salary which can tempt IT pros away. Greater flexibility, upskilling opportunities, more manageable workloads and a chance to specialise – rather than the expectation to manage everything ‘IT’ – are all often cited reasons for a move.
While businesses should review their hiring and employee retention processes to identify areas for improvement, on the technical side they should also consider what skills they really need to have in-house. For example, cyber-security skills are essential, but can your business really offer the work, environment and – to be frank – the salary required to retain an expert with a niche skillset? Rather than engaging a specialist recruitment agency to find that talent, would it be more beneficial to consider other ways your business could gain access to those skills at the level you need.
11. Instilling trust
While recent events have moved IT into the heart of the business, IT Managers will need to work strategically to retain this position.
IT was hailed as a hero for helping mid-market businesses quickly make the full transition to remote working, keeping everyone running and productive. However, with people coming back into the office, IT risks becoming the villain by simply seeking to address some of the bad habits staff may have picked up during lockdown – i.e. restricting personal apps, preventing home-working until stronger security measures are in place, slow responses as the helpdesk becomes overloaded.
12. Increasing workloads
It’s positive that senior management is beginning to recognise the contribution of IT on a strategic as well as operational level, but this comes at a price for IT Managers. Not only are they typically responsible for day-to-day monitoring, maintenance and issue resolution, they also need to undertake improvement projects, create the IT strategy, investigate opportunities and generally help drive the business forward. It’s a vast set of responsibilities and often it may feel like there are not enough hours in the day to do it all.
13. Outsourcing
The combination of hiring challenges, skills gaps, trouble retaining talent and increasing workloads will lead many businesses to consider outsourcing or co-sourcing.
While this is usually necessary to meet the growing requirements of mid-market businesses, it often raises concerns around reliability, accountability and security. IT Managers can typically be responsible for assessing the suitability of third-party partners, vendors and suppliers so it’s vital they have a strict assessment process in place so they can feel confident in the engagement.
An IT Manager’s role is continually evolving and therefore becoming more challenging. As the scope of responsibilities and accountability becomes wider, new challenges for IT Managers will crop up alongside those which have held fast for some time.
A number of these challenges can be addressed by IT retaining a central position in the business and having a voice at the decision-making table. IT Managers cannot address these challenges solely by themselves, they need the support of the entire senior leadership team