Does security awareness training really work?

Security awareness training is a great front-line defense against social engineering. The idea is to continuously stay aware of the latest techniques being used by hackers, how to identify them, and what to do when they are recognized for what they are. Employees are routinely tested on their awareness and defensive actions. Ask your MSP or IT manager about this, and if your budget allows, sign up for it. Your investment will likely be on the order of a few dollars and a few minutes of your employee’s time per month; it’s well worth it for most businesses.

However, if you plan to purchase an off-the-shelf security awareness package that is basically a self-study course, don’t waste your money. Your goal should be to change the behaviors of those using your Information Technology. Changing behaviors really means ending bad habits and replacing them with good ones. Our friends at Sandler Training promote the concept of AKASH when making effective and lasting changes in behaviors.

• A – Awareness
• K – Knowledge
• A – Application
• S – Skills
• H – Habits

Awareness is, of course, important, but what we do after becoming aware is really when we reap the return on our investment in security awareness training. An effective security awareness training program should include not just how to recognize today’s phishing schemes and the like, but it must include knowledge: an understanding of how and why these schemes are developed so that we can identify the subtle (and not-so-subtle) ongoing refinement of the schemes as cybercriminals continue to hone their craft. If you are going to invest in security awareness training, make sure the training is ongoing; a one-shot course will not keep your employees abreast of the latest threats.

Application of the fundamentals of security awareness training in the form of different exercises will develop the skills necessary to avoid getting hacked, and eventually, your organization will attain habits that represent best practices when using information technology.

Does security awareness training work? The simple answer is yes, but like any change in behavior, it takes time and most of all, the development of new work habits. Make sure you invest in an effective security awareness training service. Your MSP or IT manager can find and manage the right solution for you.