Why is information security awareness training important

Good news. Bad news. The bad news is that cyber security threats to businesses are increasing exponentially every day. But then, you already knew that. The good news is that the best defense against these ever-growing threats is already at work in your business – your staff.

Over 80% of the breaches reported in the last year could have been prevented by vigilant employees. But while businesses continue to invest millions of pounds and thousands of man-hours in deploying gadgets and technology to secure their organisations, little or nothing is invested in their best defense – people. Investing in people will result in the highest return. This has been proven repeatedly over the years. If there is a silver bullet in the cyber war its education.

Good information security awareness training is also required for compliance to:

  • ISO/IEC 27001: 2013
  • Payment Card Industry (PCI) Data Security Standards (DSS)
  • Data Protection Act (DPA) 2018

What makes a good information security training program

A good information security awareness training program is the best defense against the myriad of cyber threats to businesses today but cannot be achieved without foresight and planning. To be effective, program messages must be simple, direct and repeated continuously in different guises and mediums and of course, resonate with the receivers. A one-time presentation or a static set of independent activities isn’t good enough.

Content must be delivered in multi-media formats and fed continuously, building on messages designed to change behaviors. You’ve got to find a way to get the subject matter “in their heads” to influence the behavioral changes that deliver measurable results. And once you’ve got the message in their heads you need to keep it in their heads. The eRiskology™ way achieves this.

eRiskology™ information security awareness program

infosec awareness training

eRiskology™ is our comprehensive information security training and awareness program solution. Simply put, eRiskology is the way to instil an information security awareness culture in your business. The key to making your staff mindful of the multitude and severity of security threats to your business’ information assets is to “get it in their heads”. eRiskology does just that through the application of 4 harmonised leaning paths: INSPIRE, them with current, stimulating, face-to-face workshops; EMPOWER them with knowledge from computer-based training programs providing current hacking methodologies and best defences: ENGAGE them with a steady stream on thought-provoking current events and multimedia (videos, podcasts, infographics, monthly bulletins, tips and alerts) messages; and finally; MEASURE them through social engineering testing and program performance metrics.

This multi-path approach is designed to change the day-to-day behaviour and information security culture of your workforce. These combined techniques comprise the eRiskology way and ensure that you “get in their heads”. It not only instils a tangible information security awareness culture in your business, the eRiskology way nurtures and strengthens that culture measuring its presence and evolution year after year after year. We do this by ensuring key performance indicators are applied across the 4 paths to measure and monitor that change. No one else does that. The benefits of this transformation will significantly increase your information security defences.

What is the eRiskology™ information security program structure

eRiskology™ is the way to instil an information security awareness culture in your business. The key to making your staff mindful of the multitude and severity of security threats to your business’s information assests is to “get in their heads”. eRiskology™ does just that through the application of these 4 combined pathways:

inspire information security awareness training

INSPIRE them through meaningful, thought-provoking and collaborative onsite workshops given by seasoned information security risk trainers. Personal messages need to be delivered face-to-face and so eRiskology begins with the implementation of an on-site, all-hands workshop with your staff. The first critical step in changing behaviour – is changing minds. To do this you need to inspire people to care. Stimulate their notions on cyber security by questioning their ideas of privacy, highlighting their extreme reliance on technology and challenging any assumptions they may have that the devices they depend upon daily are inherently secure.

empower information security awareness training

EMPOWER them by providing focussed, interactive, multi-media computer based training (CBT) on critically fundamental information security topics such as: “What is it?”, “Why does it matter?”, “What does good security look like?”, “How does hacking work?” and “What should I do now?” Light, interesting, jargon-free course is 45 minutes followed by a test to confirm their understanding empowers them to act. Knowledge is the power and interest pulls the switch. Specific CBT modules are designed and available for your businesses compliance to ISO 27001, DPA 2018 or PCI DSS security awareness best practice.

engaging information security awareness training

ENGAGE them through a consistent flow of current, relevant and fascinating information they can use in both their personal and professional lives through: short videos, podcasts, webinars, infographics, tips, best practices, FAQs, chat forums, monthly bulletins and daily alerts. Feeding staff a steady diet of current examples, trends, threats and best practice will nourish and strengthen the messages they received in workshops and online training and increase the chances they will change their behaviour. Repetition is the mother of learning and the father of action, which makes it the DNA of change.

MEASURE them by collecting key performance indicators (KPIs) at each of the previous stages through surveys, tests and quizzes and then conducting a series of social engineering tests annually designed to confirm if they assimilated the information, increased their awareness and changed their behaviour. KPIs recorded in the first year can then be used as the benchmark of the level of security awareness achieved in the business and compared against behavioural changes recorded yearly thereafter. If you can’t measure it, you can’t improve it.

What are the benefits of the eRiskology™ information security awareness training program

These combined pathways comprise the eRiskology™ way and ensure that you get in their heads. It instils and documents a tangible information security awareness cultural benchmark associated with your business. In addition, and uniquely, the eRiskology™ way nurtures and strengthens that culture, measuring its presence and evolution year after year after year. The benefits of this transformation will significantly increase your information security defences.

KPIs collected across the eRiskology™ program will be compiled annually and submitted to you in a detailed report. It will cite the risk-awareness level recorded for the business along with our specific recommendations for program changes required in the following year to improve results.

These reports evidence tangible results based on a consistent set of reliable KPIs which can be integrated into your overall information security management system. eRiskology™ will not only get in their heads – it will prove its in their heads. Other security awareness solutions don’t come close to this achievement.

Get in their heads and begin to transform your business today.

Frequently Asked Questions about information security awareness

What is information security awareness training?

Information security awareness training is a formal process for educating employees on what information assets the business needs to protect (i.e. intellectual property, sensitive personal, customer or financial data); why it needs to protect it them (i.e. competitive advantage, legislation, regulation or commercial requirements); and what it needs to protect them from (i.e. modification, deletion or unauthorised access). Training should specifically identify the information requiring protection, current threats, threat vectors, methodologies and threat agents, security policies and procedures and how to report security incidents, infractions and violations.

What are the principles of information security?

The basic principles of information security are to protect the Confidentiality, Integrity and Availability of sensitive business information assets. These principles should be thoroughly explained in information security awareness training.

How do I increase information security awareness in my organisation?

The key is fourfold. First, the program must be deliberate and disruptive. The goal should be to foster and maintain “change” and always be improving security, so it must be disruptive to the organisation and deliberate with a set of actions to foster that change. Second, it must be engaging and fun. People want to participate in a culture that is enjoyable and a challenge. Third, it must be rewarding. For people to invest their time and effort, they need to understand what they will get in return. Finally, it must produce a measurable return on investment – improved behaviors. All good programs that result in change are based on implementing and monitoring key performance indicators to measure (and enhance) the return.

Why is information security training important?

84% of all data breaches are directly attributed to employee errors. The solution to this problem couldn’t be any clearer. All the security products available to protect our systems from unauthorised access are easily circumvented by uneducated end users. Employees need to be given detailed instructions on their specific roles and responsibilities for the protection of sensitive business information. Employee information security awareness training is THE most vital component in your arsenal.

What topics should be included in my information security awareness training?

Good information security awareness training specifically identifies the business information requiring protection, current cyber security threats, methodologies and agents, along with detailed instruction on specific security policies and procedures to counter these threats and how to report security incidents, infractions and violations.