Mandatory vs. Elective Security Awareness Training



I frequently get variations of the following question: "I met with the CISO yesterday to discuss Awareness Training. He asked if KnowBe4's CEO would comment on the value of mandatory awareness training vs non-mandatory training.  Ideally this would include some metrics relevant to our industry that would back this up.  His plan is to share this with the COO to help move this project forward."

There is quite a bit to say about this. Let me see if I can keep this as concise as possible.

First of all, after the initial baseline test—which almost always shows dismal results— ideally all employees should have been made part of the awareness training project and be motivated enough to do the training because they now understand the importance and want to stay safe on the internet, in the office and at the house.

Granted, that is the ideal scenario. This often does not work in larger organizations and publicly funded, unionized shops and academic institutions because this could be seen as a change in working conditions and must be bargained.

However, here are five very good reasons why security awareness training should be mandatory if there are any problems at all with employees declining to do the training.

  1. Compliance with regulation. If your organization accepts credit cards, you need to comply with PCI and you could use this as the reason this simply has to be done. There are many other regulations that require the same thing like HIPAA for healthcare and literally dozens of others. Here is a whitepaper about compliance management that explains more. (PDF)
  2. Preventing class-action lawsuits. As the cost per cybercrime victim continues to rise, any organization without security training is vulnerable to data breaches and, as a result, future class-action lawsuits. You simply are legally required to scale security measures to reflect the threat and take necessary measures to prevent phishing attacks. Here is a whitepaper with the details.
  3. Effectiveness. If you put a firewall in place, you close all ports by default, and only open the ones your applications need to function. The same is true for a human firewall. You do not let the ports decide by themselves if they are open or not. Anything else is an exercise in futility. All employees need the training.
  4. Hard Numbers. January 2018, we decided to redo our initial April 2013 analysis of average Phish-prone percentages and this time also break them out by industry and size. Now having a massive database to analyze, the new research uncovered some surprising results. The overall industry initial Phish-prone percentage benchmark turned out to be a troubling 27%. Fortunately, the data showed that this 27% can be brought down more than half to just 13% in only 90 days if ALL EMPLOYEES are stepped through awareness training. The 365-day results show that by following best practices, the final Phish-prone percentage can be minimized to 2.17% on average. See the full webinar.
  5. Defense-in-Depth: A layered security infrastructure is absolutely essential to protect against the growing variety of threats that your organization faces. Technology-based solutions are critical to protect you from phishing, spear phishing, account takeover attempts, ransomware, data breaches and the like. However, a robust security awareness training program is also essential to provide a backstop for situations in which malicious content makes its way through all the filters. New-school security awareness training enables all users to make smarter security decisions and become that extra, last line of defense. Here is a whitepaper with best practices for implementing security awareness training.

I hope this helps, if you want to see me personally explain this, check out this new video

Let's stay safe out there.

Warm regards,
Stu Sjouwerman
Founder and CEO,
KnowBe4, Inc


Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews