Security Awareness Training for employees is more crucial than ever. One could even argue that security “awareness” is just the first step in a company’s security culture, and that employees should be educated, motivated, and empowered to keep a company safe. In a world where the majority of cyber-attacks involve human error, employees need to know that they are the last line of defense, and that they are capable of stopping cyber attacks.
Gone are the days that your security awareness program is a box you check a few times a year. With the emergence of new compliance programs like CMMC, you’ll need to show that your security posture is maturing over time, educating employees monthly. Here are a few things you can do to run an effective security awareness program.
Clearly communicate the purpose of security awareness training
It’s clear that delivering security awareness training individually to employees is more effective than, say, a group presentation or conference room meeting. Plus, in this current mostly remote world, group training is near impossible. But before your employees start receiving phishing testing and taking online security awareness training courses, you need to provide some context to them for they might see in their inbox. That isn’t to say, ruin the surprise of a phishing test, but employees should:
- Understand the “why” behind security awareness training and phishing testing
- Know that this isn’t a “big brother” punitive measure, but a positive thing
Along with proper context behind the reason for security awareness training, the training itself should be relatable and should connect with the employee. It should feel as though the training was written for them, not other security professionals, other groups, etc.
Find Security Champions Within Your Organization
One of the best ways to grow your security culture is to have champions and supporters coming from places outside IT. It may seem frustrating at first, but employees are more likely to take advice seriously when it comes from their peers, not IT. Learn to use that to your advantage.
Find those whose communication skills penetrate across departments and ask them to send out notices regarding training. Additionally, enlist help from communications teams like HR to simplify your messaging in a clear, concise way. After all, getting company wide buy-in to a cause is a human issue, not a technology one.
Phish Your Employees
There are two major keys to training success that we at Hook Security recommend - Regularly identifying risk, and training the employee at the time they’re most likely to retain the information. Phishing testing accomplishes both of these.
Phishing testing allows you to send simulated phishing emails to your employees to test their ability to spot a phish in their inbox. Paired with good reporting, this allows you to identify risk in your organization and track success over time.
Additionally, we provide “point of infraction” training - Training at the moment they clicked on a phishing test. This gives you the ability to do two things:
- Train the employee at the exact same time they’re realizing the mistake they made, making the training incredibly relatable
- Train the employee quickly and efficiently, allowing them to get back to doing their job
Tracking phishing test failures against those who actually reported the suspicious email gives you a great understanding of where you’re at on your risk reduction journey.
Phishing testing is an important way to show progress in a security awareness program, as the alternative phishing-related KPI to track would be in terms of things not happening (i.e. data breach, phishing attack) versus actual trackable results.
Make it Personal
We as security professionals are both experts and passionate about cybersecurity. Your employees are neither, and this is important point keep in mind when training. If you assume employees will care about security by default, you’re wrong. You need to make it personal.
Here’s how to go about doing that.
When delivering security awareness training, you have to operate under the default assumption that nobody cares. This allows you to meet the employee where they are in their security journey and make them care.
Additionally, the whole security awareness program should be positioned as a positive experience. Like I mentioned earlier, help them understand the reason behind the training, and that this is not a punishment-based experience. Employees should be hesitant to click on suspicious emails not for fear of firing, but for motivation to keep everyone secure.
Make it Engaging
To make training relatable to your employees, your security awareness training should be engaging, non-patronizing, and often humorous. You can relate to employees by comparing complex security topics to everyday situations. Reference well known news stories of breaches and explain how they happened, or, the most effective tactic, give your employees tips for personal security.
Employees are much more likely to take security seriously when they understand how it affects their personal lives as well. Show employees how to practice good password safety, change their wifi passwords, and update software on personal devices.
Finally, one of the pillars of psychological security is to tell stories. Narrative storytelling blows a powerpoint presentation out of the water. People don’t remember facts and tips nearly as well as they remember stories and feelings.
Get Top-Down Support
This is imperative to really any company wide initiative, but even more important for security awareness training. Get buy-in and support from the top executives in your company. This is very important for two reasons:
- If they don’t take it seriously, the rest of the company won’t either.
- Executives should receive phishing simulations as they are the biggest targets and often the most impersonated people in the company by hackers.
Culture is created at the top. Encourage your executives to validate your program and practice positive security behaviors. Other employees will see that security awareness is to be praised and will follow.