Employees make breaking and entering into your network so easyfor cyberattackers. They are a primary vector for threats topenetrate network defenses and compromise your environment. That'swhy security awareness training is critical to help preventattackers from compromising your network.

“Employee awareness is critical to the success of any securityprogram,” reports The PWC Global State of Information SecuritySurvey 2014. It stated, “Because adversaries often target employeeswith social engineering schemes, 100% of respondents shouldimplement an effective employee training program.”

You may have your network locked down tighter than a rocket, butif you've got employees who haven't been trained in safecybersecurity practices, they're likely to inadvertently offer anattacker easy entrance to it.

When getting through your exceptional defenses is hard,attackers will take the easy way and go straight to your employeesto get inside your network.

One of the main ways attackers enter networks is via phishingscams. That's when an attacker sends employees an email thatappears to come from a legitimate business, or even someone at yourown organization, and contains either a link to a website or anattachment.

When the receiver clicks on the link or attachment, malware issurreptitiously downloaded onto the computer. Employees aregenerally so trusting, they have become known as the primary attackvector, as it is often easier for an attacker to get past a naiveemployee than an organization's network defenses.

Organizations with a security awareness program were 50% lesslikely to have staff-related security breaches, according to thePWC Information Security Breaches Survey 2012. With propertraining, employees should be able to recognize, prevent and reportsuspicious incidents.

Next Page: Ongoing and Mandatory

Training should be ongoing and mandatory for everyone in theorganization. An effective training program satisfies complianceregulations and helps ensure the organization's security. Trainingcan be done in-house via your own security professionals or via anoutside security organization that can offer a bevy of live oronline participatory programs.

A thorough program incorporates onsite presentations, videos,newsletters, awareness posters and management reporting of who hasand has not completed training modules. You should also includesimulated phishing and spear phishing exercises, and tests toassess each employee's knowledge and understanding of security.Employees need to understand how one mistake can cause financialharm to the entire organization as well as a loss of trust fromyour members and community.

You also need a metrics framework to track progress and measureimpact, and to demonstrate a return on your investment in thetraining. Refresher training should be provided to all personnel atleast annually.

Security awareness also should include physical securitytraining that teaches employees to be aware of their surroundings.You should forbid outsiders from entering into the building oroffice suite, or go near anyone's property, or touch any computerwithout being assured from an internal source that the person hasclearance.

Employees need to know that just because someone wearing auniform with a company name emblazoned on it requesting to enter aspace to repair something does not mean that he has a legitimatereason to be on your premises.

If your awareness program consists only of online training, itshould be effective for learners of all three styles — auditory,visual and tactile — and offer learners modules that feature sound,pictures and interactive components that force them to submitanswers throughout the training.

Shorter training modules that run no more than 30 minutes arebetter than longer ones for comprehension and retention. They alsoallow employees to work at their own speed. Outsourcing training isespecially helpful to organizations that don't have the resourcesto design and implement security classes.

As well as offering basic security awareness training, creditunions that issue or maintain payment cards should also offeranother security awareness course tailored to PCI DSS complianceissues. All online training courses should have a one-buttonreporting tool to make it easy to track which employees have andhave not completed the training.

Once you provide annual training, you must keep it going withsupport materials like emails, posters and newsletters.

Whether or not you expertly implement and manage firewalls,anti-virus and encryption, update patches regularly, and monitorcontinuously, your network could be breached with just one slip-upfrom one employee. Just as you continually patch your software, youneed to continually patch your employees, and that is done withsecurity awareness training.

Jeff Multz is director of Midmarket North America at DellSecureWorks. He can be reached at (404) 417-4713or [email protected].