Commercial Integrator February 2023 - 12

THE SERVICE DESK
Best Practices for Security-Awareness Training
Companies tend to their antivirus soſt ware diligently. It's equally, if not more,
important to tend to your 'human fi rewall.' By Mat Kordell
IN EVERY CYBERSECURITY case, one thing
is almost always true: Somewhere along the
line, employees made a mistake. It can be
your accountant clicking on a link in a cleverly
craſt ed scam email and unwittingly providing
the fraudsters with a login to the accounting
system. It can be someone in the IT department
misconfi guring something during setup.
I don't mention this to blame employees;
on the contrary, I say it to keep your business
and its critical or regulated data safe. Your
security measures play a crucial role in doing
just that. Employees must identify and stop
every cunningly devised scheme that evildoers
dream up, every time. And your actions
play a signifi cant role in ensuring they do just
that. A seemingly endless army of bad guys,
who have an infi nite supply of new tricks,
only have to deceive one person, one time,
to empty your company's bank account,
launder your funds through cryptocurrencies
or sell your data on the dark web.
Security-Awareness Training
Nearly every IT security standard, just
about every regulatory body and even
state laws have begun to prescribe, if not
require, regular security-awareness training
as a critical component of a cybersecurity
program. Employees are the last line of
defense against threats. Technical-security
controls, such as email-gateway defense or
anti-malware solutions, as well as cybersecurity
policies, only succeed if employees
maintain that security posture. When a
scam email lands in your employee's inbox,
it's entirely up to them to identify the threat
and respond appropriately. Unfortunately,
scammers are constantly fi nding ways to
bypass existing controls. Therefore, risk
centers on employees making the right call,
right when doing so counts.
This is where security-awareness training
for employees comes into play. The idea
behind it is to fortify your last line of defense
or, as it's commonly referred to in the cybersecurity
industry, your " human fi rewall. "
If you search for " security-awareness
training " online, you can fi nd anything
12
Security-awareness training helps fortify
organizations' defenses against cyberthreats,
keeping critical or regulated data
safe and secure.
from one-off videos or articles to pages
with a small, basic assortment of training
resources; to managed and regular
training and compliance programs; to live
training engagements. Cybersecurity and
standards organizations (e.g., NIST, HHS,
DOD) provide many free resources. These
resources are a great place to start for small
businesses. Where you may fi nd these fall
short is in their ability to be managed with
scale and be relevant. In addition, most
government or regulatory requirements
dictate that you must be able to track
who took which training and when, and
they should be able to prove they paid
attention. These free resources usually will
not have any functionality to enable this
detail-oriented approach.
Unmonitored, Without Updates
Workers face threats daily, and they tend to
be timely and relevant (Christmas-themed
scams, a donate-to-Ukraine email). At the
same time, most frequently, this static and
generalized security-awareness training
would be completed upon hire and, again,
maybe only once annually. Most people
would agree that they want antivirus soſt -
ware updated frequently, with timely and
relevant information. But this more lackadaisical
approach to security-awareness training
leaves your human fi rewall unmonitored and
without updates for extended periods.
At the other end of the spectrum, live
and intensive training programs signifi -
cantly increase attendees' passion for,
and understanding of, the topic at the
macro level. However, they tend not to be
Commercial Integrator FEBRUARY 2023
cost-eff ective or scalable, nor are they truly
eff ective in changing day-to-day behavior.
Consider that, on average, you will forget
about 80% of everything you learn on
any given day. And since these programs
tend to be scheduled in advance and have
an admission price that is in line with an
in-person or cohort-based virtual event,
they tend to be cost-prohibitive. It can
become a logistical nightmare to get all
employees to attend. On the other hand,
these programs are a great option to get
leadership, staff who have cybersecurity
responsibility, and those with access to
susceptible data or systems on the same
page and in agreement about the level of
risk and responsibility in front of them.
This brings us to an important question:
What is the best approach to increasing cybersecurity
awareness? An ideal plan should
meet the following requirements:
1. An annual training, as many regulatory
bodies and laws require. These programs
should be provable (i.e., a test) and trackable
(who completed the program and when).
2. Your security-awareness training
program should provide timely and relevant
reminders (for instance, " Think before you
click this Christmas " ) in bite-sized chunks to
help employees keep security top of mind.
3. The training program should be easily,
if not automatically, manageable. It should
also be customizable per employee.
4. It should be as cost-eff ective as your
antivirus is, requiring a small spend per
endpoint (or, in this case, per employee).
It should also minimize the administrative
overhead required to manage the system.
5. This is the most important: It has to be
easy and engaging for employees. Doing
security-awareness training should be as
simple as checking your email, and should
be interesting - even fun. It should also be
memorable (at least for a couple of days).
Mat Kordell is VP of operations
for CyberStreams, a member of
The ASCII Group since 2022. Go
to CyberStreams.com for more.
commercialintegrator.com
VALERYBROZHINSKY/STOCK.ADOBE.COM
http://www.CyberStreams.com http://www.commercialintegrator.com
Commercial Integrator February 2023

Table of Contents for the Digital Edition of Commercial Integrator February 2023
