Notes from the Field: CIS Control 14 – Security Awareness and Skills Training 

by Greg Halpin / February 14th, 2024

Security awareness training is something I see companies doing either very well or not at all. It’s unfortunate for the companies that don’t do much, as a little training goes a very long way. Security awareness training is an investment that more than pays for itself. The more your employees are trained against potential threats and attacks, the safer your company and customer data. The less trained they are, the more your company is at risk of attack and compromise. In this post I discuss what I see as an information security auditor working with clients regarding the Center for Internet Security Control 14 – Security Awareness and Skill Training.  

What is Security Awareness and Skills Training?  

CIS control 14- Security Awareness and Skills Training highlights the importance of making sure the members of your organization have training surrounding security best practices that will help keep your organization secure. And, as a reminder, the Center for Internet Security Controls are 18 critical information security controls that all organizations and information security professionals should be familiar with and implement to protect their networks and data.  

The Overview for Control 14 is: Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise

Control 14 includes 9 sub-controls or safeguards:   

14.1 Establish and Maintain a Security Awareness Program 

14.2 Train Workforce Members to Recognize Social Engineering Attacks 

14.3 Train Workforce Members on Authentication Best Practices 

14.4 Train Workforce on Data Handling Best Practices 

14.5 Train Workforce Members on Causes of Unintentional Data Exposure 

14.6 Train Workforce Members on Recognizing and Reporting Security Incidents 

14.7 Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates 

14.8 Train Workforce on Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks   

14.9 Conduct Role-Specific Awareness and Skills Training.  

Why is security awareness and skills training critical?  

Control 14 addresses the human security vulnerability, perhaps the biggest vulnerability of all. All of the technical, administrative, and physical controls in the world can easily be undermined if your employees allow unauthorized people into facilities, click on links in phishing emails, open malicious attachments, or visit fraudulent websites and enter their company user credentials. Such actions could allow an attacker to gain a foothold in your environment to install ransomware or exfiltrate company and customer data. Security awareness training will provide protections against such threats. Let’s take a look at some of the safeguards and how companies accomplish them.     

Safeguard 14.1 – Establishing and Maintaining a Security Awareness Program  

Safeguard 14.1 can be done by setting up your organization with an online training platform or using an existing service that your Human Resources Information System SaaS platform offers. As part of an employee’s onboarding processes, new employees should be required to take the awareness training within their first week of employment to make sure the training is successfully completed. Additional training modules and phishing tests are recommended to be completed each month to continuously strengthen the information security awareness muscle. Annual refresher training should also be required for all employees. The paid services offer reporting to show who has successfully completed the training. Human Resources staff should be expected to follow up with individuals who do not complete the training as they do with other types of required training.    

Companies such as KnowBe4 and Proofpoint, are two popular services, among the many training tools available. No service is perfect, so make sure you’re diligent when choosing the service that’s right for your organization. However, some companies choose to develop their own internal information security awareness training. It’s usually made up of a PowerPoint presentation put together by IT and IT security staff who go over the materials with company employees. Both types of training cover the basics, such as sharing their account passwords, using multi-factor authentication when possible, not clicking on attachments or links from unfamiliar senders, not submitting credentials or financial information to bogus websites, not falling victim to social engineering attacks, and so on. Quizzes are often used to test the knowledge of participants.  

Safeguard 14.5 – Train Workforce Members on Causes of Unintentional Data Exposure  

Safeguard 14.5 is critical to protect company and customer data, as well as protect companies from the legal and financial liability as a result of such exposures. Well trained employees are taught not to share sensitive data with people who do not have a need or right to see it. They are also taught how to properly share information with those who do have a need or right to the data.  

The data leaks my clients have experienced are often due to lack of knowledge. Scenarios include an employee accidentally sending a patient or client the data of a different patient or client. For healthcare companies subject to HIPAA requirements, such a mistake can result in expensive fines. There have also been cases where companies I’ve worked with have processes in place to share customer data with partners after the data has been anonymized to protect the identities of customers. On occasion, the automated anonymization process fails but the data is still shared, as the companies don’t have proper verification processes in place. There are many other methods where data is unintentionally exposed. In all cases, proper training is needed as a baseline to protect the data and the company.  

Safeguard 14.6 – Train Workforce Members on Recognizing and Reporting Security Incidents  

Safeguard 14.6 is supremely important because people who are trained properly know what to do when an incident occurs. They report the incident to the people who can take appropriate action and contain the incident. People who are not trained often are afraid to report an incident because they might think they will get in trouble for having done something wrong. As a result of doing nothing, a containable incident is not contained and can cause a lot of damage.  

Safeguard 14.9 – Conduct Role-Specific Awareness and Skills Training  

Safeguard 14.9 is often overlooked even in companies that have basic security awareness training. It’s important that software developers receive annual training on secure coding practices. This helps them to stay up to date on the latest code vulnerabilities and practices to avoid them. IT and IT security staff should also receive annual training for responding to incidents and for protecting the technologies they support. Staff in other areas, such as senior executives and finance, should receive more advanced training to prevent them from succumbing to bogus text messages and phishing emails, especially those regarding wiring money to the fraudulent recipients.   

Work with KirkpatrickPrice to Help Implement Security Awareness Training in Your Organization

Whether you choose an online training platform or offer in-house training, your organization must provide company employees with security awareness training. It is the most effective method for protecting company and customer data. Even though the Center for Internet Security Controls can help, this process can still feel overwhelming. If you aren’t sure where to start on your security awareness training journey or would like help improving your training, connect with one of our experts today.  

About the Author

Greg Halpin

Greg Halpin has 25 years of experience in information technology and security. He has a Master’s in Information Sciences – Cybersecurity and Information Assurance from Penn State University, and he has earned the CISSP, CISA, and CCSP certifications. He has experience and additional
certifications in Amazon Web Services, Azure Cloud Services, Linux and Windows systems administration, vulnerability scanning, intrusion detection/prevention, and project management. He enjoys working with people and organizations to help them secure their networks and systems.