SECURITY AWARENESS

TRAINING:
THE 2021 ULTIMATE GUIDE
Table of Contents
01 Chapter 1 | What is Security Awareness Training?

02 Chapter 2 | Why is Security Awareness Training Important?

03 Chapter 3 | How to Create Effective Security Awareness Training

04 Chapter 4 | How to Create a Security-Aware Culture

05 Chapter 5 | The Best way to Deliver Security Awareness Training

06 Chapter 6 | Security Awareness at Home.

07 Chapter 7 | Security Topics to Cover

08 Chapter 8 | Getting Started

CHAPTER 1
WHAT IS SECURITY AWARENESS TRAINING?
 Chapter 1

What is Security Awareness Training?

Security Awareness Training is the most effective way to protect companies and their employees from
social engineering phishing attacks.

But What is Security Awareness Training?

Hook Security defines it as an education program

that teaches employees about security and
phishing while creating best practices and good
habits.Let’s unpack that.

One of the biggest weaknesses in any cybersecurity

system is the human factor. It doesn’t matter
whether your organization is using sophisticated
passwords, multiple firewalls, anti-malware
programs, etc. The human factor will always be an
issue in keeping your company and yourself safe.
At the end of the day, the employees are the ones
who are most vulnerable and need the right tools. If
an employee has not been effectively trained on
cybersecurity awareness, the chances are high they
will compromise a company through simple
mistakes, negligence, or even apathy.

Cybercriminals know this. They know that hardware

is incredibly difficult to get by but targeting a person
or group gives them the best chance to attack.
Using methods like phishing emails exploit human
vulnerabilities. When successfully used, something
as simple as a phishing email can compromise an
entire organization and its network. That’s bad
news.
Then, when employees fall prey to our trap, we
Security Awareness Training aims to resolve this by give them a short, educational but entertaining
directly focusing on the human factor. At Hook video to train them on their mistakes.
Security we research and craft simulated phishing The aim is to leave the employee not scared,
attempts (what we like to call “real fake emails,”) but aware. Not afraid, but just a little bit para-
based on the latest tactics that criminals are noid about emails. Though small, the difference
currently using. between those two is incredibly impactful.

001
 Chapter 1

The Emergence of Psychological Security have nothing to do with security, but can still
benefit a firm.
As the cyber threat landscape continues to grow,
guarding our information systems becomes harder
and harder. This is often because the focus,
attention, and ultimately the blame are in the wrong
Training can help to reduce errors or help
places. We’ve started to see a need for companies
recognize the “bad guys’” tricks and trends.
beyond just information security, and the reason for
this is right there in the name. Protecting a
business’s information by simply focusing on the
information itself still leaves you vulnerable, as over
Cybersecurity awareness training for
90% of breaches involve social engineering. As
employees can strengthen and enhance your
crazy as it may sound, we have to protect our
company’s security posture.
minds, our intuitions, our dependence, and our
trust. Enter the idea of Psychological
Security.

When your employees are educated and

Psychological Security is the practice of protecting
trained they are more compliant.
humans from being manipulated and exploited by
technology. From hyper-targeted ads to phishing
attacks, technology and data are used to influence
us every day. This is the reason that phishing is so
successful. We’ve learned to trust and depend on Training can keep your customer’s reputation
the technology we use, the brands we buy, and the clean and clear of mishaps.
people we know. Add the fact of professional envi-
ronment with bosses, deadlines, and raises, and the
risk of manipulation skyrockets.
Education and training can bolster confidence
Will you fall for a Starbucks phishing email? Maybe. and even help morale for your customers.
Will you download a mystery spreadsheet from your
“boss” called “ChristmasBonuses2020.xlsx”?
Definitely. This is the reason regular training is so
important. To guard against phishing we have to
train employees to recognize the risk and create Money and time can be saved for your
pattern recognition over time. customer by having training.

Benefits of Security Awareness Training

Initiatives like cybersecurity awareness training Your customer can sleep at night knowing they
force a company to examine its procedures, poli- are actively training to the latest threats
cies, and personnel. Inefficiencies and opportunities through training.
often come to light as a result of this, which may

002
 Chapter 1

Building a Culture of Security Awareness

A security awareness training program can act as a

team-building and collaboration exercise. Because
the nature of the goal is generally not to solve a
problem where finger-pointing is common, it lends
itself to improving relations among employees. A
common enemy (cyber threats) often unites a
group.

Hook Security’s edutainment-based training

content creates a fun, yet engaging experience for
the workforce, and does not shame the employee
for failing but provides a memorable training
experience. We believe people shouldn’t be afraid
that their job is on the line with every email they get.
When companies realize the importance of security
awareness training and adopt our program, they
increase productivity, boost creativity, and
ultimately are much safer.

003
CHAPTER 2
WHY IS SECURITY AWARENESS TRAINING IMPORTANT?
 Chapter 2

Why is Security Awareness Training Security Awareness Training aims to resolve

important? this by directly focusing on humans and creat-
ing habits.
Over 90% of cyber attacks include some sort of
phishing or social engineering element. It shouldn't It’s one thing to simply warn employees of the
be a shock that reducing the risk of phishing attacks dangers of phishing, but if you can properly
reduces the risk of a breach. create habits and reach the primitive part of
the brain that controls threat recognition and
Employees receive phishing emails every day. And response, that’s where you really start to see a
while most security tools do a great job of filtering reduction in phishing email clicks.
out most phishing emails, hackers are changing
their tactics every day, and some phishing emails
ultimately land in an employee’s inbox.

And the phishing attack is just the beginning.

Phishing is the attack vector the hacker uses to get
access to a company’s system. Once an attacker
has access, that’s where they do their damage.
Some examples of cyber attacks include malware,
ransomware, business email compromise (BEC), and
more.

“ Over 90% of cyber attacks include some sort of

phishing or social engineering element.

005
 Chapter 2

Security Awareness Training Creates a Positive Expect Mistakes - They are inevitable. How you
Security Culture react to them is everything. When you roll out
security awareness training to employees, you
Security awareness training, when properly will see people click. But that’s okay. The goal is
executed, contributes to your company’s security to reduce risk. It’s virtually impossible to
culture, and ultimately your overall company eliminate the risk of phishing attacks. Just be
culture. glad the phishing email they clicked on was a
First, you should understand that culture is not phishing test, and not the real thing.
something you can command, direct, or mandate.
Culture is not a policy. Policy is what employees are Set Goals - Encourage your employees and
told to do. Culture is how they actually behave. track progress. If you’re creating a healthy,
How do you influence culture? positive culture around cybersecurity,
employees will want to know how they’re doing.
At Hook Security we say there are four main things Encourage them by letting them know when
you can do to contribute to a healthy security they pass or fail phishing tests.
culture:
Don’t Punish Mistakes - This is the number one
Train Everyone - Culture comes from the top pitfall of many companies trying to have a
down. If top-level employees aren’t being security awareness program. If you truly want to
trained, or see themselves as “above training”, it have a positive security culture, treat mistakes
completely dilutes its importance and other as an opportunity for growth. After all, would you
employees will not take security seriously. report a phishing email if you thought you could
be fired?

By offering security awareness training to your employees and following these guidelines,
you will attain a positive security-aware culture that is FAR more effective than using fear,
uncertainty, and doubt.

006
 Chapter 2

Security Awareness Training Helps with Simply put, phishing attacks are bad for
Compliance business.

Compliance is a nice by-product of security Second, when you roll out something like our
awareness training, but to do it successfully, you Psychological Security Awareness Training, the
shouldn’t make compliance the reason for offering training is short, doesn’t take time out of an
training. This approach can lead to poor employee’s day, and boosts morale rather than
performance and results. hurt it.

However, more and more industries, regulators, and How does this work?
compliance programs are starting to include having
a security awareness program. Some compliance At Hook Security, we research and craft
regulations that already require security awareness simulated phishing attempts based on the
training include: latest tactics that criminals are currently using.
We send these simulated phishing emails to
PCI DSS employees every month.
HIPAA
ISO/IEC 27001 and 27002 Then, when employees fall prey to our trap, we
FISMA give them a short, educational but entertaining
GDPR video to train them on their mistakes. The
Many State privacy laws whole experience from clicking the email to
receiving training is less than 5 minutes.
If these areas of compliance affect your company or The traditional form of training involved
companies you offer IT services to, you should offer hours-long training in a conference room, or
security awareness training for compliance. long, drawn-out computer-based training.
This approach kills productivity. And we like
Security Awareness Training Helps Avoid productivity.
Downtime
By training your employees at the moment they
Similar to point number one above, security clicked (we call this the point-of-infraction),
awareness training significantly reduces your risk of they quickly learn from their mistakes, have a
company downtime, for two reasons: laugh, and move on with their day.

First, the biggest cause of downtime is when your

company is hit with a cyber attack. If you are hit
with something like ransomware, your files will be
completely encrypted, and many business functions
will be shut down completely.
There are other, less obvious forms of downtime
related to cyber attacks such as loss of business, PR
issues, employee morale, time to fix, and more.

007
 Chapter 2

Your Employees Are Your Greatest Asset. Why is it Important to Offer Security
Awareness Training?
Many security providers and companies say that
employees are your biggest weakness when it If you are an MSP, MSSP, VAR, or any kind of IT
comes to cybersecurity, and to be honest we’ve said services provider, you may or not already offer
the same in the past. security awareness training to your customers.
But should you?
And while there may be some truth in the
statement, it does very little to accomplish our goals Well, we may be biased but we think so.
in security awareness. But so do other MSPs.

Your tools can not be security-aware. Your In Datto’s 2020 State of the MSP Report, they
computers can not be security-aware (well….not showed that 60% of MSPs consider security
yet….oh god I’m so scared for the future). We have awareness training a critical service to provide
found that the number one way to create security for their customers, while slightly less than
rockstars out of your employees is to treat them like 60% reported they actually offer it currently.
your greatest asset, not your biggest weakness.
The cold, hard truth is that if you aren’t offering
Your employees are the number one keeping your security awareness training and other
company going. And yes, they are also the people emerging services as part of your managed
clicking on phishing emails, but you should see offerings, you could be in danger of losing
them as an opportunity versus a threat. This will customers. Because as company adoption of
have a great impact on the effectiveness of security awareness training increases, companies will
awareness training. look for and ultimately go with providers that
offer it.

008
CHAPTER 3
HOW TO CREATE EFFECTIVE SECURITY AWARENESS TRAINING
 Chapter 3

CMMC, you’ll need to show that your security

posture is maturing over time, educating
employees monthly. Here are a few things you
can do to run an effective security awareness
program.

Clearly communicate the purpose of

security awareness training

It’s clear that delivering security awareness

training individually to employees is more
effective than, say, a group presentation or
conference room meeting. Plus, in this current
mostly remote world, group training is near
impossible. But before your employees start
receiving phishing testing and taking online
security awareness training courses, you need
to provide some context to them for they might
see in their inbox. That isn’t to say, ruin the
surprise of a phishing test, but employees
should:

1. Understand the “why” behind security

awareness training and phishing testing

2. Know that this isn’t a “big brother” punitive

measure, but a positive thing

How to Create Effective Security Awareness

Training
Along with proper context behind the reason
for security awareness training, the training
Security Awareness Training for employees is more
itself should be relatable and should connect
crucial than ever. One could even argue that
with the employee. It should feel as though the
security “awareness” is just the first step in a
training was written for them, not other
company’s security culture and that employees
security professionals, other groups, etc.
should be educated, motivated, and empowered to
keep a company safe. In a world where the majority
Find Security Champions Within Your
of cyber-attacks involve human error, employees
Organization
need to know that they are the last line of defense,
and that they are capable of stopping cyber attacks.
One of the best ways to grow your security
culture is to have champions and supporters
Gone are the days that your security awareness
coming from places outside IT. It may seem
program is a box you check a few times a year. With
frustrating at first, but employees are more
the emergence of new compliance programs like

010
 Chapter 3

likely to take the advice seriously when it comes Make it Personal

from their peers, not IT. Learn to use that to your
advantage. We as security professionals are both experts
and passionate about cybersecurity. Your
Find those whose communication skills penetrate employees are neither, and this is an important
across departments and ask them to send out point to keep in mind when training. If you
notices regarding training. Additionally, enlist help assume employees will care about security by
from communications teams like HR to simplify your default, you’re wrong. You need to make it
messaging in a clear, concise way. After all, getting personal.
company-wide buy-in to a cause is a human issue,
not a technology one. Here’s how to go about doing that.

Phish Your Employees When delivering security awareness training,

you have to operate under the default
There are two major keys to training success that assumption that nobody cares. This allows you
we at Hook Security recommend - Regularly to meet the employee where they are in their
identifying risk, and training the employee at the security journey and make them care.
time they’re most likely to retain the information.
Phishing testing accomplishes both of these. Additionally, the whole security awareness
program should be positioned as a positive
Phishing testing allows you to send simulated experience. Like I mentioned earlier, help them
phishing emails to your employees to test their understand the reason behind the training, and
ability to spot a phish in their inbox. Paired with that this is not a punishment-based
good reporting, this allows you to identify risk in experience. Employees should be hesitant to
your organization and track success over time. click on suspicious emails not for fear of firing,
Additionally, we provide “point of infraction” training but for motivation to keep everyone secure.
- Training at the moment they clicked on a phishing
test. This gives you the ability to do two things: Make it Engaging

Train the employee at the exact same time To make training relatable to your employees,
they’re realizing the mistake they made, making the your security awareness training should be
training incredibly relatable engaging, non-patronizing, and often
humorous. You can relate to employees by
Train the employee quickly and efficiently, comparing complex security topics to everyday
allowing them to get back to doing their job situations. Reference well-known news stories
of breaches and explain how they happened,
Tracking phishing test failures against those who or, the most effective tactic, give your
actually reported the suspicious email gives you a employees tips for personal security.
great understanding of where you’re at on your risk
reduction journey. Phishing testing is an important Employees are much more likely to take
way to show progress in a security awareness security seriously when they understand how it
program, as the alternative phishing-related KPI to affects their personal lives as well. Show
track would be in terms of things not happening (i.e. employees how to practice good password
data breach, phishing attack) versus actual track- safety, change their wifi passwords, and
able results. update software on personal devices.

011
 Chapter 3

Finally, one of the pillars of psychological security is

to tell stories. Narrative storytelling blows a
PowerPoint presentation out of the water. People
don’t remember facts and tips nearly as well as they
remember stories and feelings.

Get Top-Down Support

This is imperative to really any company wide

initiative, but even more important for security
awareness training. Get buy-in and support from
the top executives in your company. This is very
important for two reasons:

If they don’t take it seriously, the rest of the

company won’t either. Executives should receive
phishing simulations as they are the biggest targets
and often the most impersonated people in the
company by hackers.

Culture is created at the top. Encourage your

executives to validate your program and practice
positive security behaviors. Other employees will
see that security awareness is to be praised and will
follow.

012
CHAPTER 4
HOW TO CREATE A SECURITY-AWARE CULTURE
 Chapter 4

How to Create a Security-Aware Culture

We all know security is important. If you ask any employee of a company, they would most likely agree that
keeping their company safe is important.

But how deep does that opinion go? Is it import-

ant to them? Do their subconscious actions
reflect that?
Policy vs. Culture
When it comes to a company’s cybersecurity, we
often start with tools, processes, and policies. Once
we realize our people are the largest security
vulnerability, we start to look toward training and
security awareness. This is great! But what we often
leave on the table is how to make “security
awareness” actually take effect, and move the
company forward. We fail to tie awareness to culture
Policy
and habits. For example, I’m aware that a yellow What employees are told to do
traffic light means “slow down” but my habit is quite
the opposite. I’m making that light.

Weird metaphors aside, hope is not lost for your

company! While security awareness culture is
paramount to avoiding a major breach, it’s quite
attainable! Here’s how:

First, you should understand that culture is not

something you can command, direct, or mandate.
Culture is not a policy. Culture
How employees actually behave
Policy - What employees are told to do

Culture - How they actually behave

Why are humans often the largest weakness in
A cultural change happens on a subconscious level. security?
If you can reach people’s subconscious, you can
change their behavior. This is why security Because people aren’t hardwired to recog-
awareness for employees is important. nize threats

Let’s zoom out a bit. �Even if they want to keep their company safe,

014
 Chapter 4

What is Phishing?
A cyber-attack that covers ANY attempt to collect sensitive
information in which the perpetrator disguises their identity.

Hackers are often after:

Information Access Data Cash

1 2 3 4

everyone is vulnerable to phishing attacks, social If training is intrusive, instills fear, or tries to
engineering, and manipulation by technology. solve everything at once, it does not contribute
This is scary, and the natural tendency is to teach by to a positive security culture.
exposing employees to the fear of phishing, but this
approach is one of negativity. How to Instill a Positive Security Culture in
your Organization
Why The Old Training Model Doesn’t Work
Anymore Positivity is the number one approach we’ve
discovered that contributes to culture. Scaring
The old way of training just doesn’t cut it these someone into a habit is an ounce as effective
days. The threat landscape moves faster than ever as encouraging and motivating someone to do
before, and people learn, think and act differently the same.
now because of technology.
The Old Training Model: There are four things you can do to accomplish
this:
Covers too much at once
Takes too long Train Everyone - Culture comes from the
It’s disruptive top down
Misaligned with cognitive recognition Expect Mistakes - They are inevitable. How
you react to them is everything
This takes many forms, not just the classic Set Goals - Encourage employees and track
hour-long training in the conference room. progress
If training is intrusive, instills fear, or tries to solve Don’t Punish Mistakes - would you report a
everything at once, it does not contribute to a phishing email if you thought you could be
positive security culture. fired?

015
 Chapter 4

Now that we have the foundation of a positive This focus on people vs. information has led us
security culture, how do we change the way we to uncover what we think will become an
train? entirely new vertical: Psychological Security.

The New Training Model: Psychological Security By pioneering this new mind shift we were able
Training to build our training experience from the
ground up with people and their brains in mind.

1-2 Key Takeaways: Rather than pack

This is the key to changing culture. Change
everything into one video or training
minds.
experience, we focus on 1-2 things the
employee can walk away fully understanding
Your employees CAN be trained to avoid
and caring about. �
manipulation by technology. Not only will
Train Regularly: Keep the training short.
employees naturally keep the company safe
Our target length for a training video is less
because of pattern recognition of phishing
than two minutes, preferably 90 seconds. If
attacks, but they’ll be excited to keep you safe
you have 1 key takeaway, it should take that
because of the positivity, entertainment value,
long to make it resonate.
and humor that your new security-aware
Train in a Familiar Environment:
culture provides.
Employees should be able to complete the
training quickly and in their normal work
People become excited to spot and report
environment. Training should contribute to
real phishing emails.
productivity, not kill it.
Tell Stories and Use Humor: This is our
bread and butter. We use “edutainment”
videos to train. Before the teaching moment
occurs, employees get to have a laugh, get
grossed out, or get entertained.
Psychologically, this opens the brain up to
be receptive to the information.

This approach is such a monumental shift from the

old way of delivering security awareness training.
From the phishing testing, to the training
environment, to the training material itself, we’ve
departed from old ways of thinking that protect the
status quo.

016
CHAPTER 5
THE BEST WAY TO DELIVER SECURITY AWARENESS TRAINING
 Chapter 5

The Best Way to Deliver Security Awareness Use Relevant Content

Training If the training content doesn’t feel like it’s “for”
the user that’s watching, they are less likely to
Security awareness training isn’t one size fits all. accept and retain the information. Avoid using
Delivering the training effectively is just as terms and ideas that are too technical, and
important as the training itself. Like we mentioned tread lightly with cartoons and animations. Use
before, for years the training model has looked like real-life examples and talk to the user like
this: they’re a human being.

Covers too much at once Train Regularly

Takes too long Between phishing tests and training courses,
It’s disruptive you should interact with your users at least
Misaligned with cognitive recognition monthly, if not multiple times a month. Habits
are formed by pattern recognition over. If you
Annual Training is Not Enough want to train effectively, train regularly.

Because of most compliance standards, Dive Deep

training is often done to check the box of an annual Some of the most important security topics are
requirement. So traditional training is done once a the hardest to grasp, like ransomware,
year, all at once. phishing, and other malware. Break this
material down into examples and comparisons
But spending hours in a conference room or zoom is your employees will understand.
not an effective way to train.
Employees often check out, and frankly, it is unreal- Lean on Video and Interactive Experiences
istic to expect an employee to remember everything Odds are, your employees don’t want to listen
thrown at them. And rather than internalizing a few to you talk for hours on end about security.
key takeaways, they just shut off. Using video training and interactive content is
a great way to connect with employees on their
The way we deliver employee training is terms, and quizzes and assessments help with
evolving, and for the better. Security retention as well as tracking
Awareness Training has to be a regular
occasion in order for it to be effective. Measure and Report
In order to maximize the effectiveness of an
How to deliver Security Awareness Training awareness training program, its important to
track your progress over time. You can track
Train in a familiar environment your program with reporting and dashboards.
Employees should be able to complete the training You can measure your employees by
quickly and in their normal work environment. continuing to send phishing tests and monitor
Training should contribute to productivity, not kill it. their progress.

018
CHAPTER 6
SECURITY AWARENESS AT HOME
 Chapter 6

Security Awareness At Home

The COVID-19 pandemic has changed the way that

most companies work. Millions of people are
working from home for the first time, and companies
are struggling to adapt quickly.

Working from home brings all sorts of new work

challenges: Watching the kids, avoiding distractions,
staying in touch with coworkers, and figuring out
new technologies just to name a few.

However, cybercriminals didn’t quit when we all

went home. In fact, they upped their game.
In all the hustle and bustle of figuring out how to
work remote, security has not been high on the
priority list of many companies making the shift.
Even for simple technology tasks like resetting
passwords and troubleshooting WiFi, employees no
longer have an IT person for which they can easily
ask for help.

So, where does that leave us for security

awareness?

Well, not in a very good place. People’s guards are

down more than ever as they struggle through
remote working.
As new threats evolve, continue to test your
But while we can’t always be there in person for end users every month. Follow up with
every tech issue an employee has, we can equip struggling employees, letting them know how
them with some new knowledge to navigate this they protect themselves against phishing and
time. other cyber threats.

In addition to regular security awareness training, Finally, share tips for personal security with
provide education around some of the day-to-day IT your employees. Share tips around public wifi,
tasks the employee needs to be able to accomplish, credit card skimmers, their bank password, and
like updating firmware and properly locking devices. more. When employees understand that
security affects their personal lives, they are
This training can come in the form of new video much more likely to take that information and
training, a quick zoom call, or even a checklist the apply it to their work lives.
employee can follow.

020
CHAPTER 7
SECURITY AWARENESS TOPICS TO COVER
 Chapter 7

Security Topics to Cover

Phishing Ransomware
Learn how to spot and avoid cyber attacks via email. Learn the effects that ransomware and other
malware can have in your company.

Malware Removable Media

Learn about malicious software and how to keep it How to correctly use removable media to avoid
out of your system. data theft/loss.

Social Engineering Incident Response

How hackers use manipulation and trickery for learn how and when to report suspicious
fraudulent purposes. activity.

Mobile Security Physical Security

How to keep your phones and other mobile devices How to keep your office, desk, and other physi-
safe and secure. cal items secure.

Vishing & Scams Passwords

How to realize when a phone call is actually a Learn about what makes a strong password
scammer or hacker. and how to use passwords correctly.

Safe Web Browsing Working Remotely

How to use the internet safely while protecting your Learn how working remotely introduces new
sensitive data. risks and how to adapt to remote work safely.

022
CHAPTER 8
GETTING STARTED
 Chapter 8

Getting Started

Identify Risk. Create Awareness. Secure Your

Business.

Launch, measure, and automate your phishing

testing and security awareness training program
with our easy to use platform.

Start your free 14-Day Free Trial to gain access

to:

Security Awareness Training

Equip your employees with a solid understanding of
phishing, scams, malware, social engineering, physical
security and more while giving them the ability to
recognize and respond to cyber threats in the
workplace.
Automated Phishing Testing
We create new phishing tests every month and pair it
with contextual training videos that match the
phishing testing for the month.

Psychological Security
Psychological Security, or PsySec, uses humor,
repetition, a positive approach, and the latest research
in neuroscience to train the part of the brain that
houses threat recognition and response.

Reporting With Actionable Insights

We provide more reporting data than anyone else on
the market, which allows you to facilitate positive
security discussions between you and your employees.

Get Started for Free

024