4 Reasons Why Security Awareness Training Is Important
Let's face it: not everyone sees the value of security awareness training. That's true even as we move deeper into an age of hybrid work. In a 2023 study, for instance, Hornetsecurity found that 33% of companies don't provide training to remote employees. (For context, the study revealed that three-quarters of remote employees have access to sensitive data.) Nearly half (44%) of respondents went on to say that they intend to increase the percentage of remote employees working for them.
We at the Center for Internet Security (CIS) know that security awareness training is important. That's why we made it one of our CIS Critical Security Controls (CIS Controls). But we also know that it's not always easy to see why it's important when you're juggling a lot of cybersecurity priorities at once.
To remedy this situation, we reached out to experts at CIS, the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS- and EI-ISACs), and MS-ISAC member organizations. We asked them to discuss why security awareness training is important and what impact it can have on U.S. State, Local, Tribal, and Territorial (SLTT) government organizations such as yours. Below you'll find some of their responses.
Marci Andino, Sr. Director of EI-ISAC at CIS
Cybersecurity is everyone’s responsibility! Election offices play a crucial role in our democracy. They must be prepared for the 2024 general election and the unwanted cyber activity that accompanies a Presidential election. This is equally true for both large and small jurisdictions, as the internet provides equal access to all election offices. In addition to election-related training required to conduct efficient elections, election officials must increase their cybersecurity awareness in order to protect critical election infrastructure in their offices, warehouses, and at polling locations. Cybersecurity awareness training will help election officials defend against phishing attacks, insider threats, and other tactics used by our adversaries to disrupt the election process. It will also give them insight into no-cost solutions available to election offices that they can use to train their permanent and seasonal workers to appropriately respond to such attacks.
Jason Balderama, CISO of Marin County, California, and MS-ISAC Security Awareness Working Group Co-chair
Cyber attacks and data breaches are becoming increasingly common; they serve as a reminder to everyone why exercising security best practices is so important. While technical security controls like firewalls, e-mail security, and endpoint protection provide layers of defense against cyber threats, no one technical solution can stop all cyber attacks. Security awareness training provides tools, techniques, and best practices that SLTT employees can use to spot potential threats, take appropriate actions, and protect their organizations.
SLTT/election offices can measure their security maturity with frameworks such as NIST CSF, NIST 800-53, and the CIS Controls. Most if not all of these frameworks have security awareness training as a component. They also include detailed information on how to meet the control and how to use metrics to measure effectiveness.
All SLTT and election agencies perform critical services to the community. As organizations that store and process the private information of our residents, we have a duty to instill trust with the public. Implementing best practices such as security awareness training is a simple and cost-effective way to help meet this important goal.
Mathew Everman, Information Security Operations Manager at CIS
Security awareness training falls within the CIS Controls for good reason. All breaches begin with the human factor; putting in the effort to harden those vectors for attack is equally if not more important than any software or hardware hardening. Most public sector organizations struggle with limited funding, limited employee count, and/or tight specialization restrictions. In many cases, this leads to a limited staff of identified or in-house security professionals who are available to those teams on a daily basis. Helping internal resources understand the risk of a threat along with key indicators trains those employees on what to watch out for and how to react accordingly, effectively making the entire organization a strong security team. This creates the so-called human firewall.
Building a basic cybersecurity awareness program according to your needs may be time-consuming, but it doesn’t have to be expensive. The positive return on investment is so great that it's nearly immeasurable. Data gathered by a cyber threat actor – no matter how insignificant – can be a small piece of a larger puzzle that could lead to an upstream breach of more sensitive data. The duty and responsibility of our public sector is to protect, provide for, and guide the public. The safety and security of the public is directly connected to the safety and security of those charged with its care.
Taking the time to ensure those key public sector members feel well informed and emboldened to identify and report possible security incidents is absolutely key to the public wellbeing. As the information threat landscape grows, building a strong human knowledge infrastructure will ensure employees stay ahead of emerging threats and build security into their daily duties and functions.
Randy Rose, Senior Director of Security Operations & Intel at CIS
Maslow must rethink his hierarchy of needs! The internet has firmly rooted itself somewhere near the base of his famous pyramid. And just as we cannot forego using cyberspace, neither can we forego cybersecurity education. In fact, it’s just the opposite. Cybersecurity training, education, and awareness have become increasingly important in a world where people, regardless of their technical chops, are left with no choice but to use technology every day in a multitude of ways. They need to complete tasks at work, organize their schedule, balance their checkbook, review their children’s homework, and pay for everyday items, just to name a few.
When we rely so heavily on technology, it’s easy to take the threats we face because of it for granted. Combined with the rapid pace at which technology and associated attacks change, we must do our best to keep ourselves, our families, and our colleagues aware and vigilant.
Humans all learn differently, but one thing is certain: we all learn by repetition. It’s important for cybersecurity awareness and education to be frequent and varied. The key to a good cybersecurity awareness program is connecting new ideas with old ones. People learn most quickly when they can relate new information to things they already know. To maximize retention, messages should be straightforward, build upon prior knowledge, and rely on real-world examples and comparisons to tangible, non-technical concepts. Additionally, there should be a mixture of delivery styles covering at least reading, listening, watching, and doing.
Cybersecurity education that sticks can be the difference between a user who clicks a link and a user who stops to think. And that difference can save an organization millions.
Security Awareness Training to Support Your Future
As our experts point out above, security awareness training won't be losing any of it's value anytime soon. In the 2023 Data Breach Investigation Report (DBIR), Verizon Enterprise found that nearly three quarters of data breaches involve the human element. This finding shows why it's important to invest in security awareness training now and into the future.
We're here to help you! Through our partnership with the SANS Institute, we're proud to bring you SANS Security Awareness training that can help fortify your employees against social engineering and other cyber attacks exploiting the human element. Developed by highly experienced cybersecurity instructors and experts, SANS Security Awareness offers a customizable mix of end user training content to address relevant threats, teach security concepts that are critical to your workplace, and adhere to the ideologies of your organization’s corporate culture. Demos are also available for all versions of SANS Security Awareness.
The First Step in Building a Positive Security Culture
Security awareness training helps you minimize your risks stemming from the human element. No technology solution can help you stop all cyber attacks and data breach vectors, after all. Which is why you need a human firewall, a positive security culture built on security awareness training that connects new ideas to old. With it, you can protect the critical services, individuals, and infrastructure that you as an SLTT are instrumental in supporting.