There is more to implementing a successful cybersecurity training program than to task IT with the job or conduct a quick Internet search to find an outside vendor.
In a day and age when an employee’s error can lead to a disastrous cyberattack, it is imperative organizations have a basic understanding of how to implement an awareness program that reaches all employees, is conducted at the correct pace by well-informed instructors and is helpful, informative, and not irritating.
When building a program, the first thing to remember is that a person is more likely to absorb a lesson if it directly relates to their everyday activities. So, provide content to employees specific to their roles and responsibilities at the company, make it relevant, and to the extent possible, ensure that the information is personalized.
Attack vectors vary, so it is important that staffers are exposed to a wide range of potential threats and learn how to protect themselves, both at work and at home. This exposure should occur from the start, during the on-boarding process and continued with regular refresher training. It’s even a good idea to host these around popular cybersecurity events, such as Safer Internet Day or Cybersecurity Awareness Month.
The organization must make an extra effort in designing these courses. Be creative, engaging, and collaborative. We’ve all gone comatose during a poorly prepared and long-winded PowerPoint presentation, so whenever humanly possible, please avoid running employees through a slide deck. If use of a slide deck is inevitable, plugging in some interactive elements is helpful. Storytelling and gamification are good strategies to look out for when creating an awareness program.
The sponsors of the security program (typically the senior leadership) want to see that the effort they put into a particular program is worthwhile and effective, so meaningful metrics must be developed to measure the success of the cybersecurity training and what improvements need to be made to future content.
Finally, the program should take into account that the senior leadership team supports cybersecurity awareness and training.
Top management support is essential because it signifies that the program is supported and endorsed – it sets the tone from the top and demonstrates that the top management is actively involved.
In addition, employees model behavior exhibited by their leaders. If those in charge approach security with a laissez-faire attitude, that is the effort they will receive from their staffers.
Creating a homegrown security awareness program is certainly possible as opposed to hiring an outside vendor, although there is a time and place for each type of approach.
In some cases, it’s simply a matter of whether or not an organization has the budget and resources to create a program or if an outside cybersecurity training firm would be more cost-effective.
Also, to create a program organically, an organization should answer the following questions:
If an in-house team is not feasible for budgetary or personnel reasons, it makes perfect sense to look outwards. However, again, questions must be asked and answered.
For example, would the contract be a one-off engagement or run for an extended period? Do you need the vendor to supply a complete program, or could a limited contract be created that has the contractor providing a different flavor to the in-house program? Does the vendor have the ability to provide real-life examples and relatable ‘threat intelligence’ to help teach employees the value of cybersecurity?
Cybersecurity, like all training, must walk the thin line between being offered often enough for the instructions to sink in and be reinforced, and being repetitious to the point where the students simply want to check off the required boxes and get on with their day.
A staffer’s first exposure to an organization’s training program should occur within a month at most of that person joining the organization.
Trainers should hold refresher general security awareness training at least annually. Practice phishing campaigns should take place at least quarterly and, realistically, should be automated as much as possible.
Additionally, the organization should supply staffers with topical security awareness material at least quarterly. One possible consequence of a person being bombarded with training material and classes is cognitive overload, so stagger training throughout the quarter and conduct them in 10 to 15-minute training modules.
We’ve seen several ways organizations incentivize their programs, including honorable mentions by top executives, naming security champions of the month, recognition for successfully reporting a phishing campaign and thank you notes.
More physical rewards could also be incorporated, such as corporate branded candy, t-shirts, mousepads, stickers, notebooks, etc.
Supervisors should never mete out punishment failing a test or module of an awareness program. This action drives avoidance behavior and results in less engagement with the security team. Additionally, if punishment is a possible result of taking security training, employees might try to find shortcuts to avoid making the wrong choice instead of learning from a genuine mistake and/or lack of knowledge.
These are all understandable but highly undesirable outcomes. The goal is for employees to learn what to do if faced with a real issue, not to hide what has happened.
Providing comprehensive training in an entertaining format covering the threat vectors within your business will make a big difference in your battle against digital adversaries. A mix of good monitoring, adequate threat detection, and user awareness is a recipe for success in today’s cyber threat climate.