When striving for success, you must have a definite purpose — something that stands above everything else in terms of getting results. As it relates to information security and, specifically, user awareness and training, what’s the main goal?
Is it to train everyone to the highest possible level so they can be a part of the security solution? Perhaps it’s to set your business up for success by controlling users’ actions through policies and technologies? Maybe it’s to check the security awareness training box that auditors look for? Looking at the myriad approaches and possible outcomes of a security awareness and training program, no matter how it’s done, it all comes down to one thing: behavioral changes.
There are many businesses out there going through the motions of cybersecurity training, but they have little to show for it. Sure, the box is checked, but people are still clicking on malicious links, opening email attachments and falling for the same old tricks that social engineers have thrust upon us for decades. I see it in practically every security assessment project I work on. If a phishing message is convincing enough, upwards of half (sometimes more) of users I target open attachments, click links and provide their network login credentials when prompted. It’s a simple yet disturbing exploit and it’s happening all around the globe — your business included — every single day.
Find the Gaps in Your Security Awareness Program
With behavioral changes as a core component, is your security awareness program focused on the right things — the things that will help achieve your overarching purpose and goals? Or are you doing things that are moving you further ..