One of the main ways attackers enter networks is via phishing scams. That's when an attacker sends employees an email that appears to come from a legitimate business, or even someone at your own organization, and contains either a link to a website or an attachment.

When the receiver clicks on the link or attachment, malware is surreptitiously downloaded onto the computer. Employees are generally so trusting, they have become known as the primary attack vector, as it is often easier for an attacker to get past a naive employee than an organization's network defenses.

Organizations with a security awareness program were 50% less likely to have staff-related security breaches, according to the PWC Information Security Breaches Survey 2012. With proper training, employees should be able to recognize, prevent and report suspicious incidents.

Next Page: Ongoing and Mandatory

Training should be ongoing and mandatory for everyone in the organization. An effective training program satisfies compliance regulations and helps ensure the organization's security. Training can be done in-house via your own security professionals or via an outside security organization that can offer a bevy of live or online participatory programs.

A thorough program incorporates onsite presentations, videos, newsletters, awareness posters and management reporting of who has and has not completed training modules. You should also include simulated phishing and spear phishing exercises, and tests to assess each employee's knowledge and understanding of security. Employees need to understand how one mistake can cause financial harm to the entire organization as well as a loss of trust from your members and community.

You also need a metrics framework to track progress and measure impact, and to demonstrate a return on your investment in the training. Refresher training should be provided to all personnel at least annually.

Security awareness also should include physical security training that teaches employees to be aware of their surroundings. You should forbid outsiders from entering into the building or office suite, or go near anyone's property, or touch any computer without being assured from an internal source that the person has clearance.

Employees need to know that just because someone wearing a uniform with a company name emblazoned on it requesting to enter a space to repair something does not mean that he has a legitimate reason to be on your premises.

If your awareness program consists only of online training, it should be effective for learners of all three styles — auditory, visual and tactile — and offer learners modules that feature sound, pictures and interactive components that force them to submit answers throughout the training.

Shorter training modules that run no more than 30 minutes are better than longer ones for comprehension and retention. They also allow employees to work at their own speed. Outsourcing training is especially helpful to organizations that don't have the resources to design and implement security classes.

As well as offering basic security awareness training, credit unions that issue or maintain payment cards should also offer another security awareness course tailored to PCI DSS compliance issues. All online training courses should have a one-button reporting tool to make it easy to track which employees have and have not completed the training.

Once you provide annual training, you must keep it going with support materials like emails, posters and newsletters.

Whether or not you expertly implement and manage firewalls, anti-virus and encryption, update patches regularly, and monitor continuously, your network could be breached with just one slip-up from one employee. Just as you continually patch your software, you need to continually patch your employees, and that is done with security awareness training.

Jeff Multz is director of Midmarket North America at Dell SecureWorks. He can be reached at (404) 417-4713 or [email protected].