• (0)

    ISO 27001 & ISO 22301 Blog

    What are the benefits of security awareness training for organizations?

    When learning about information security, we become broadly aware of general risks to information plus basic controls through a gradual and widespread educational process, sometimes supplemented with more intensive training in specific areas (such as how to respond to security warnings, and how to recognize and handle privacy issues). This kind of security awareness training is certainly useful for us personally, but why is this important for the companies we work for?

    The importance of the human element in information security

    Information is an extremely valuable, yet vulnerable business asset. Securing (as in ensuring the confidentiality, integrity, and availability) of information is therefore critically important, just as we need to secure other business assets such as buildings, plants, and machinery.

    Despite investments in security technologies, such as antivirus software, significant information risks remain due to the reliance on employees’ always “doing the right thing and doing things right.” Inattention and ignorance are human vulnerabilities that can be reduced but not eliminated through technology.

    Some employees, and outsiders in general, may not have the organization’s best interests at heart. Year by year, deliberate threats to information are increasing. Furthermore, most organizations today are utterly dependent on information, particularly computer data, IT systems and networks, and intellectual property. Therefore, the consequences of information security incidents can be devastating in terms of business interruption and additional costs, such as reputational damage.

    In short, facing substantial and growing information risks, we ignore the human element of information security at our peril.

    The business benefits

    Security awareness and especially training are not (always) free though, so how do we justify the expense? Let’s examine the business benefits in five groups.

    Company security awareness training: What are the benefits?

    1) Reducing resistance to information security

    Given sufficient awareness and/or training, employees make better, more effective, and more efficient use of security controls. For starters, they appreciate that the controls are there for good reason; hence, they are less likely to ignore, bypass, or disable them. Understanding why we need long passwords, for instance, and how to choose strong, yet memorable passwords or passphrases, makes it easier to be secure. Employees refusing to disclose or share their passwords is another control bolstered through awareness and training.

    2) Improved information security, privacy, and compliance

    The most immediate benefit of awareness and training arises from improvements to the organization’s information security arrangements. A clear desk policy, for instance, is almost worthless if employees don’t know about it, don’t care, and can’t be bothered to comply. Awareness to the rescue! The mere existence of the policy is, in itself, a sign that management appreciates the need, while its clarity, focus, and motivational effectiveness depend on the author/s being sufficiently clued up. As an integral part of an organization-wide approach to information risk management, security awareness and training enables all the other security controls, and supports the achievement of a wide range of business objectives – including compliance with privacy, accounting, governance, and other laws and regulations.

    3) Avoided or reduced costs from information security incidents, breaches, etc.

    Compared to the average organization, a security-aware workforce, supported and guided by highly trained security professionals, is less likely to suffer information security incidents, privacy breaches, unplanned downtime, and so forth. Employees who know what to look out for are less likely to fall for obvious scams or to ignore the early signs of trouble. They are the equivalent of skilled drivers, being extra cautious when appropriate and able to make good progress when the road conditions are favorable.

    What’s more, any incidents that do occur are likely to be shorter and more limited due to employees’ spotting and reacting appropriately. Incident response can’t start until an incident is recognized and reported, both of which depend on employees knowing what to do, without delay.

    4) Improved reputation and greater trustworthiness

    If a majority of the workforce is security-aware, outsiders and visitors perceive an organization that clearly takes security and privacy seriously. From the moment someone arrives at the premises or visits the corporate website, there are clues – some obvious, such as warning signs and security certificates, and others that are more subtle, such as efficiently following structured processes. Differences in how people and organizations interact affect the extent to which they are willing to depend on each other. Trust is a major factor in commerce, and a significant part of an organization’s reputation and brands. Consider the differences between shopping at a temporary street market compared to, say, a department store, or a backstreet car lot compared to a major dealer. In business, impressions matter!

    5) Situational awareness

    “Situational awareness” is almost a sixth sense. It’s hard to explain precisely why an email or phone call “doesn’t seem quite right,” especially as each situation is different; hence, it is impossible to define precise rules on what to look out for. It is true that many phishing emails start with a nonspecific greeting such as “Dear customer,” but some don’t: spear-phishing attacks commonly use the recipient’s name, often with other information intended to give the appearance that the sender is a colleague, acquaintance, or friend. What’s more, that inkling of something wrong achieves nothing unless the employee reacts appropriately, not opening the attachment or clicking the link for instance, and perhaps seeking help to check out the message.

    Better safe than sorry

    Besides being a long-term investment in the overall business success, awareness and training are an integral and essential part of any sensible approach to information security. If you are still not convinced of its purpose and value, consider the alternative: sure, the organization won’t have to pay for security awareness materials and training activities, but employees will be naïve, uninformed, and unmotivated. Security controls will be neglected, forgotten, and sometimes disabled or bypassed for the sake of convenience. The organization will appear untrustworthy, its reputation and bottom line both tarnished by incidents and breaches that should have been prevented or mitigated.

    Check out this free security awareness training to see an example of 25 videos that cover a wide range of basic security topics.

    Advisera Gary Hinson
    Gary Hinson
    Dr. Gary Hinson, PhD, MBA, CISSP, is an information security specialist with a passion for human factors and the non-technical side of information security. Gary’s career stretches back to the mid-1980s as a practitioner, manager, and consultant in the fields of IT system administration, information security, and IT auditing. Gary runs an information security awareness subscription service called NoticeBored, and spends his days writing creative security awareness materials similar to this piece.