What Is Security Awareness, and Why Is It Important?

As a business owner, you have a lot on your mind as we all progress through the COVID-19 situation.  Your workforce is probably broken up in ways you have never experienced before, and the way everyone is connecting to your resources may be less than ideal from a security perspective. This situation makes a comprehensive security awareness program more important than ever.

We are all doing what we have to do to survive this global pandemic, and security is taking a back seat for now.  The problem is that now, more than ever, security needs to be a primary focus.  Cyber-attacks are rising because criminals know that some of the typical defenses that businesses have in place are down or moved at the moment. In fact, FBI has reported a 400% increase in cyber-attacks during the pandemic. 

Many businesses are working on home systems that don't have the typical defenses, and this is what criminals are targeting.  Cybersecurity cannot take an off day.  Even one employee who clicks on a malicious link in their email could infect your entire business, even from home. This is why a comprehensive security awareness program is a critical component of your overall cyberthreat prevention strategy.

As a managed service provider (MSP) managing thousands of devices and supporting end-users across almost every industry, Innovative offers security awareness programs to our clients through the KnowBe4 solution. While we selected KnowBe4 as our security awareness partner of choice, we know that our solution isn’t the best fit for everyone. This article provides an overview of what a security awareness program is, what it can do for your company, and the features you should look for in any security awareness solution.

What is security awareness?

Security awareness is ownership of all employees over the safety of an organization's data and information systems, as well as their practice and understanding of how to prevent data breaches and security incidents at the individual level.

Security awareness is the new buzzword going around the tech industry, but it aims to fill a gap in cybersecurity that has existed for a long time.  That gap is end-user behavior. Instead of simply providing another layer of protection like antivirus or a firewall, the focus of security awareness is working with end-users to ensure they have the necessary knowledge to make smart choices, thus protecting your business.

The best way to show the power of security awareness is through a real-life example. Before we move on, lets quickly define a term that we will be using a good bit in this example.

You pronounce phishing just like the recreational hobby of catching fish (fishing). Phishing is very similar to fishing, which is how it earned this name.  The end goal is to get something out of the end-user like a password or sensitive information or even installing some type of tool that provides access to your system.  Anything that allows the scammer to steal something from the business.

The Case for Security Awareness: A Real-Life Phishing Example

The company name has been changed for security reasons.

Contoso Company would frequently do wire transfers to pay vendors and members of the executive staff.  Whenever wire transfers were initiated, it would typically occur between a member of the accounting team and the CEO. 

One Friday afternoon, the accountant received an email from the CEO indicating that a transfer needed to be made.  Since it was a pretty typical process for Contoso, they went back and forth over email and completed the transfer.  The following Monday, the CEO realized that he never received the money transfer, and after a quick call to the bank, they realized that the money was gone from the company account and transferred to an account that was not his own.  This was a significant sum of money that just vanished.  What happened?

After careful evaluation, here is what was uncovered:

Step 1: Six to seven months earlier, an end-user in the company clicked on a malicious link. Since nothing happened, they assumed that everything was fine and never reported it. But the damage was done. By clicking on the link, malicious software was unknowingly installed on the user’s computer. The malicious software that installed at that time created an email forwarding rule to send every email that was destined to the accountant to an alternate email address but also still delivered the email to the accountant so they would not be aware that anything was wrong.  This mail forwarding rule allowed the scammer to learn about the typical business patterns and who was involved with a wire transfer.  They learned when the transfers typically occur, and a plan was devised.

Key Takeaways:

• Clicking on a malicious link will almost never show an issue right away. Instead, the malicious software lives on your machine for an average of four to six months, learning about your business so an attacker can make their move at a later date.
• Even though the company had a great antivirus tool present at the time, hackers are very motivated to keep malicious tools like this under the radar. No tool can prevent every attack.

Step 2: On the Friday referenced in the story, the CEO really did send this accountant a message asking for funds to be transferred.  However, after his email, a second email came through that had the CEO's name on it, but the email address was different than usual.  This email indicated the alternate bank information to use for this transfer and even apologized for giving her the wrong one initially.  The accountant did not notice the email address was different because it still had the CEO's full name listed beside it.  This is called email spoofing.  It is very common with phishing scams because it looks like the email is coming from within the company.

The email also came through on a Friday afternoon near the end of this accountant’s workday, which meant that the accountant wanted to process this quickly and head home. The scammer knew this and sent the fictitious email at a vulnerable time in their day.

Key takeaway:

• The scammers waited six to seven months before making a move. They used this time to study the language and tone used in normal business emails. They also studied the habits of end-users, allowing them to time their attack during the busiest, most vulnerable time when the end-user was most likely to miss a slight discrepancy in the sender’s email address.

This attack was devastating to the business.  An FBI case was opened, but this money was never recovered.

How would security awareness have helped?

This story had three opportunities for end-users to prevent the attack.

1. When the user received the phishing email with the link to launch the malicious software.
2. After the user clicked on the suspicious link.
3. Before the accountant wired the money to a different account per email instructions.

A good security awareness program could have given those end-users the skills and practice they needed to avoid this devastating attack.

Security awareness would have:

• Taught the end-users how to identify phishing emails and suspicious links.
• Provided opportunities to practice reporting suspicious emails and links.
• Regularly tested end-users with “fake” phishing and spoofing attempts, training them to keep their guard up at all times.

RELATED ARTICLE: Learn more about promoting email safety in your business.

Elements of a Security Awareness Program

Now that you’ve seen what an attack looks like let's break down how a good security awareness program should work and how it can immediately impact your business. 

A security awareness program is a three-step program that you continuously repeat to improve security over time. The three critical components of a security awareness program are:

1. Testing – Find out where your most significant security gaps lie.
2. Training – Teach end-users how to identify and respond to suspicious emails.
3. Reporting – Track improvements over time and identify areas for focus for the next round of testing and training.

Testing

Your end-users need to be put in situations where they have to make decisions that determine if the organization gets breached or not.  This comes through phishing simulations. Phishing simulations are fake phishing attacks and spoof emails generated by you or your IT team to test how users respond to phishing attempts. The results of these tests tell you how susceptible your organization is to a phishing attack. You can utilize these results to track overall improvement in the company over time.  It also provides an opportunity for end-users to practice good decision making and reporting procedures to ensure that malicious emails are reported properly.

In a good security awareness program, phishing simulations are constantly updated with ways to trick your end-users.  A good example of this is the COVID-19 situation.  The best tools quickly had COVID-19 templates available that tricked users in a variety of ways relating to this pandemic, just like real attackers were using pandemic-related news and announcements as a way to trick end-users. That may sound harsh, but the reality is that even one person in the company can completely compromise your entire system. Every employee needs to keep their guard up at all times to protect YOUR business.

RELATED ARTICLE: Learn more about why employee behavior is the key to compliance and security.

Training

The purpose of testing is seeing which users fall for the bait, and what types of bait are the most successful. In the next step of your security awareness program, you’ll use the results of your testing to inform your security awareness training.

Security awareness training teaches end-users what to look for in the future, so the same mistake is not made again.  A good security awareness training program allows you to provide different types of training to different users based on the individual results of testing. That is why tracking who clicked on the links is crucial so that you can assign the proper training to the appropriate individuals. This could be phishing specific training, general security awareness training, or more specific training that is tailored to things that are important to your business.

A successful training program includes training content in all different shapes and sizes. Make sure your security awareness training program includes videos, interactive quizzes, high-level white papers, and even games. Training must be specific to the individual based on the results of your testing and their specific role within the company. Keeping the content set to appropriate levels for each user enables the training to be received well and retained.  It also ensures that your training won't get stale.

Reporting

Reporting plays two critical roles in your security awareness program:

1. Identify which users need what type of training. This is necessary to inform the future testing and training cycles of your security awareness program.
2. Evaluate the success of your security awareness program. This lets you document the improvements your organization is making to overall network and data security. It is also essential to measuring the ROI of your security awareness program.

The goal of any security awareness program is overall company improvement. You have to show that security gaps are being closed, or else your investment becomes difficult to measure.  So, having a starting point and metrics to measure your improvement over time is crucial.

What to look for in a security awareness product

There are many different solutions on the market to help you implement a security awareness program. Innovative is a KnowBe4 partner, and we use that solution to implement security awareness programs for our managed service clients. We choose that product because it is the easiest tool for our staff to administer on behalf of our clients. It also offers the most robust training library that allows us to pick and choose the most applicable training menu for our wide range of clients.

The best solution for you is the one that is the easiest to implement, includes the types of training you need, and delivers the necessary data for your company to make the best decisions and document security improvements over time.

Here are the key things to look for when selecting a security awareness solution.

Testing Features

The ability to conduct phishing simulations is essential to your security awareness solution. Your phishing simulation tool must include the ability to customize the landing page if a user does click a link in your testing email.  The landing page should inform an end-user that they clicked on something they should not have and reinforce better habits moving forward.  This can be done through simple educational text, video, or any creative method to help your team know they made a mistake.

Phishing emails are not the only way that scammers can steal your information.  Information theft also occurs via scam phone calls (these are called Vishing) and even through physical means such as picking up an external USB key laying in the parking lot that contains malicious information.  An ideal security awareness program can test these other areas as well.

Training FEatures

One size does not fit all companies when it comes to training. So, you need a security awareness training platform that provides many content options. Training libraries should include detailed text, graphics, videos, quizzes, and games that appeal to all different learning styles.  Choose a program with a robust and effective training library for all skill levels and roles within your organization.

Ensure there is training that can be tailored to specific roles (Executives, techs, office workers, HR..etc) so that each department can receive training that most impacts their responsibility within the company.  A good security awareness program will include information for each level of the organization.

Reporting Features

Ensure that your security awareness program has good reporting to quickly see how your staff is doing on a specific phishing campaign or training assignment.  You don’t want to dig around and re-learn the system every month just to receive easy information.  It needs to be easy with reports that can be emailed or quickly viewed within a few clicks.

Who Should Implement Your Security Awareness Program

If you have a dedicated IT person, they can take on the administration of a security awareness tool. However, they are not likely to have the necessary skills or experience to manage a training program. Your internal IT person may need to partner with your HR or training department to implement the training elements of the program successfully. At a minimum, ask to frequently see your organization's testing and training results and occasionally ask for a list of people being tested.  We’ve seen many cases where the organization is using a tool that isn't even testing all the users.

The Role of Your Managed Service Provider in Security Awareness Program

Many of the security awareness programs are built to be managed through a managed service provider (MSP).  An MSP partners with businesses that do not have internal IT resources to manage all aspects of their network administration and data security. With an MSP-administered security awareness program, the MSP takes on the responsibility of deploying, testing, and training to your staff and reporting results on a regular basis so you can ensure this is actually helping your organization. 

This results-driven approach is a great fit for small businesses that don’t have the extra time or dedicated IT person to manage such an undertaking.  It also ensures that the tool is utilized properly since the MSP has all the necessary training to implement this successfully for your business.

If you don't know where to start, I would recommend having a conversation with your IT partner first.  Hopefully, they already have an offering in their solution stack to meet this need.

Your security awareness program is just one element of your overall IT strategy. This free Business Technology Inventory and Assessment Template to begin the documentation you need for your IT strategy.