Why Employee Cybersecurity Awareness Training Is Important

Not everyone invests in employee cybersecurity awareness training, especially in the case of hybrid workplaces. In a 2023 study, a third of companies told Hornetsecurity they don't provide cybersecurity awareness training for remote employees. This is despite the fact that 75% of these companies' remote personnel can access sensitive data.

It's not always easy to cut through the noise and see why a security awareness program is important when you're juggling a lot of cybersecurity priorities at once. To help offer some context, we asked experts at CIS®, the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC® and EI-ISAC®), and MS-ISAC member organizations to discuss why security awareness training is important – particularly to U.S. State, Local, Tribal, and Territorial (SLTT) government organizations such as yours. Here's what they had to say.

Marci Andino, Sr. Director of EI-ISAC at CIS

Cybersecurity is everyone’s responsibility! Election offices play a crucial role in our democracy. They must be prepared for the 2024 general election and the unwanted cyber activity that accompanies a Presidential election. This is equally true for both large and small jurisdictions, as the internet provides equal access to all election offices. In addition to election-related training required to conduct efficient elections, election officials must increase their cybersecurity awareness to protect critical election infrastructure in their offices, warehouses, and at polling locations. Employee security awareness training will help election officials defend against phishing attacks, insider threats, and other tactics used by our adversaries to disrupt the election process. It will also give them insight into no-cost solutions available to election offices that they can use to train their permanent and seasonal workers to appropriately respond to such attacks.

Jason Balderama, CISO of Marin County, California, and MS-ISAC Security Awareness Working Group Co-chair

Cyber attacks and data breaches are becoming increasingly common; they remind everyone why exercising security best practices is so important. While technical security controls like firewalls, email security, and endpoint protection provide layers of defense against cyber threats, no one technical solution can stop all cyber attacks. Information security awareness training provides tools, techniques, and best practices that SLTT employees can use to spot potential threats, take appropriate actions, and protect their organizations.

SLTT/election offices can measure their security maturity with frameworks such as NIST CSF, NIST 800-53, and the CIS Critical Security Controls® (CIS Controls®). Most if not all of these frameworks include security awareness training as a component and offer insight into what is effective security awareness training. They also include detailed information on how to meet the control and how to use metrics to measure effectiveness. 

All SLTT and election agencies perform critical services to the community. As organizations that store and process the private information of our residents, we have a duty to instill trust with the public. Implementing best practices such as security awareness training is a simple and cost-effective way to help meet this important goal.

Mathew Everman, Information Security Operations Manager at CIS

Employee cybersecurity awareness training falls within the CIS Controls® for good reason. All breaches begin with the human factor; putting in the effort to harden those vectors for attack is equally if not more important than any software or hardware hardening. Most public sector organizations struggle with limited funding, limited employee count, and/or tight specialization restrictions. In many cases, this leads to a limited staff of identified or in-house security professionals who are available to those teams on a daily basis. Helping internal resources understand the risk of a threat along with key indicators trains those employees on what to watch out for and how to react accordingly, effectively making the entire organization a strong security team. This creates the so-called human firewall.

Building a basic security awareness program according to your needs may be time-consuming, but it doesn’t have to be expensive. The positive return on investment is so great that it's nearly immeasurable. Data gathered by a cyber threat actor – no matter how insignificant – can be a small piece of a larger puzzle that could lead to an upstream breach of more sensitive data. The duty and responsibility of our public sector is to protect, provide for, and guide the public. The safety and security of the public is directly connected to the safety and security of those charged with its care.

Taking the time to ensure those key public sector members are well informed and emboldened to identify and report possible security incidents is absolutely key to the public wellbeing. As the information threat landscape grows, building a strong human knowledge infrastructure will ensure employees stay ahead of emerging threats and build security into their daily duties and functions.

Randy Rose, Senior Director of Security Operations & Intel at CIS

Maslow must rethink his hierarchy of needs! The internet has firmly rooted itself somewhere near the base of his famous pyramid. And just as we cannot forego using cyberspace, neither can we forego employee security awareness training. In fact, it’s just the opposite. Cybersecurity training, education, and awareness have become increasingly important in a world where people, regardless of their technical chops, are left with no choice but to use technology every day in a multitude of ways. They need to complete tasks at work, organize their schedule, balance their checkbook, review their children’s homework, and pay for everyday items, just to name a few.

When we rely so heavily on technology, it’s easy to take the threats we face because of it for granted. Combined with the rapid pace at which technology and associated attacks change, we must do our best to keep ourselves, our families, and our colleagues aware and vigilant.

Humans all learn differently, but one thing is certain: we all learn by repetition. It’s important for awareness of cybersecurity risks and best practices to be frequent and varied. The key to a good security awareness program is connecting new ideas with old ones. People learn most quickly when they can relate new information to things they already know. To maximize retention, messages should be straightforward, build upon prior knowledge, and rely on real-world examples and comparisons to tangible, non-technical concepts. Additionally, there should be a mixture of delivery styles covering at least reading, listening, watching, and doing.

Cybersecurity education that sticks can be the difference between a user who clicks a link and a user who stops to think. And that difference can save an organization millions.

Security Awareness Training to Support Your Future

As our experts point out above, security awareness training won't be losing any of it's value anytime soon. In the 2023 Data Breach Investigation Report (DBIR), Verizon Enterprise found that nearly three quarters of data breaches involve the human element. This finding shows why it's important to invest in building a security awareness program now.

We're here to help! Through our partnership with the SANS Institute, we're proud to bring you SANS Security Awareness training that can help fortify your employees against social engineering and other cyber attacks exploiting the human element. Developed by highly experienced cybersecurity instructors and experts, SANS Security Awareness offers a customizable mix of end user training content to address relevant threats, teach security concepts that are critical to your workplace, and adhere to the ideologies of your organization’s corporate culture. Demos are also available for all versions of SANS Security Awareness.

Now through January 31, save over 50% on the SANS Institute's security awareness training programs, including SANS Security Awareness, technical training courses, and more.