While I’ve written about security awareness training in the past, I’m revisiting it today because it never gets old. Training isn’t just something you did to check off a box; it’s something you do… continually. With the cyber attackers constantly refining their techniques, security awareness training is definitely an ongoing process.
As a matter of fact, the Cybersecurity Maturity Model Certification (CMMC) has an entire domain devoted to Awareness & Training with five controls. For CMMC Levels 1 – 3, we’re only concerned with three of them.
AT.2.056
“Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.”
This control pretty much covers every person in a company (“users of organizational systems”), and it requires that they undergo training so they understand that their actions can impact their organization’s security system.
AT.3.058
“Provide security awareness training on recognizing and reporting potential indicators of insider threat.”
This particular control is fairly self-explanatory. A good security awareness training program will educate your employees on how to spot potential security threats as well as what they do if they do inadvertently take an action they shouldn’t.
AT.2.057
“Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.”
This control mandates that staff understand their roles and responsibilities as they relate to security and are trained to perform such. Each security management role has responsibilities for handling threats from physical attacks, human error, structural failure, and natural sources. It is important for these roles to be defined, specific, and practiced in order to limit confusion in the event of a security incident.
Now, while CMMC requires that government contractors be compliant in these areas, this is where security awareness training shouldn’t just be a box your organization checks off. Cyber attacks happen every day, and the cost is predicted to be over $6 trillion by this year. Additionally, it is estimated that a business suffers a ransomware attack every 40 seconds.
THAT is why you want – and need – a security awareness training program – because the human component can be the most vulnerable.