The CIS Controls require organizations to implement a security awareness training program as part of Control 14. Curricula’s fun security awareness training platform helps your organization get compliant with CIS Controls and stay secure.
CIS Security Controls are a framework designed to help protect organizations implement the most essential components of a basic cyber security program. Security awareness training has been recognized as one of the most basic controls to protect organizations of all sizes.
These CIS Controls change the discussion from “What should my organization do?” to “What should we ALL be doing?” to improve security across every organization.
Security leaders recognize that implementing a security awareness training program isn’t just about being compliant, it’s about keeping employees secure. Curricula’s turnkey security awareness training platform helps organization meet CIS Control 14 by staying compliant and automating employee engagement.
Implementing a security awareness training program is recognized as one of the most effective cyber security investments an organization can make.
CIS Control 14: Security Awareness Training Program
As stated from the CIS Controls:
“Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.”
The actions of people play a critical part in the success or failure of an enterprise’s security program. It is easier for an attacker to entice a user to click a link or open an email attachment to install malware in order to get into an enterprise, than to find a network exploit to do it directly.
Users themselves, both intentionally and unintentionally, can cause incidents as a result of mishandling sensitive data, sending an email with sensitive data to the wrong recipient, losing a portable end-user device, using weak passwords, or using the same password they use on public sites.
No security program can effectively address cyber risk without a means to address this fundamental human vulnerability. Users at every level of the enterprise have different risks. For example: executives manage more sensitive data; system administrators have the ability to control access to systems and applications; and users in finance, human resources, and contracts all have access to different types of sensitive data that can make them targets.
The training should be updated regularly. This will increase the culture of security and discourage risky workarounds.
An effective security awareness training program should not just be a canned, once- a-year training video coupled with regular phishing testing. While annual training is needed, there should also be more frequent, topical messages and notifications about security. This might include messages about: strong password-use that coincides with a media report of password dump, the rise of phishing during tax time, or increased awareness of malicious package delivery emails during the holidays.
Training should also consider the enterprise’s different regulatory and threat posture. Financial firms might have more compliance-related training on data handling and use, healthcare enterprises on handling healthcare data, and merchants for credit card data.
Social engineering training, such as phishing tests, should also include awareness of tactics that target different roles. For example, the financial team will receive BEC attempts posing as executives asking to wire money, or receive emails from compromised partners or vendors asking to change the bank account information for their next payment.
CIS Control 14: Security Awareness Training Requirements
For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
14.1: Perform a Skills Gap Analysis
Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap.
14.2: Deliver Training to Fill the Skills Gap
Deliver training to address the skills gap identified to positively impact workforce members’ security behavior.
14.3: Implement a Security Awareness Program
Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. The organization’s security awareness program should be communicated in a continuous and engaging manner.
14.4: Update Awareness Content Frequently
Ensure that the organization’s security awareness program is updated frequently (at least annually) to address new technologies, threats, standards, and business requirements
14.5: Train Workforce on Secure Authentication
Train workforce members on the importance of enabling and utilizing secure authentication.
14.6: Train Workforce on Identifying Social Engineering Attacks
Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls.
14.7: Train Workforce on Sensitive Data Handling
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive information.
14.8: Train Workforce on Causes of Unintentional Data Exposure
Train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email.
14.9: Train Workforce Members on Identifying and Reporting Incidents
Train workforce members to be able to identify the most common indicators of an incident and be able to report such an incident.
Ready to implement a security awareness training program with Curricula to help you meet the CIS Controls? Get started with your free account.
