Security Awareness Training for employees is more crucial than ever. One could even argue that security “awareness” is just the first step in a company’s security culture, and that employees should be educated, motivated, and empowered to keep a company safe. In a world where the majority of cyber-attacks involve human error, employees need to know that they are the last line of defense, and that they are capable of stopping cyber attacks.
Gone are the days that your security awareness program is a box you check a few times a year. With the emergence of new compliance programs like CMMC, you’ll need to show that your security posture is maturing over time, educating employees monthly. Here are a few things you can do to run an effective security awareness training program.
Clearly communicate the purpose of security awareness training
It’s clear that delivering security awareness training individually to employees is more effective than, say, a group presentation or conference room meeting. Plus, in this current mostly remote world, group training is near impossible. But before your employees start receiving phishing testing and taking online security awareness training courses, you need to provide some context to them for they might see in their inbox. That isn’t to say, ruin the surprise of a phishing test, but employees should:
- Understand the “why” behind security awareness training and phishing testing
- Know that this isn’t a “big brother” punitive measure, but a positive thing
Along with proper context behind the reason for security awareness training, the training itself should be relatable and should connect with the employee. It should feel as though the training was written for them, not other security professionals, other groups, etc.
Find Security Champions Within Your Organization
One of the best ways to grow your security culture is to have champions and supporters coming from places outside IT. It may seem frustrating at first, but employees are more likely to take advice seriously when it comes from their peers, not IT. Learn to use that to your advantage.
Find those whose communication skills penetrate across departments and ask them to send out notices regarding training. Additionally, enlist help from communications teams like HR to simplify your messaging in a clear, concise way. After all, getting company wide buy-in to a cause is a human issue, not a technology one.
Phish Your Employees
There are two major keys to training success that we at Hook Security recommend - Regularly identifying risk, and training the employee at the time they’re most likely to retain the information. Phishing testing accomplishes both of these.
Phishing testing allows you to send simulated phishing emails to your employees to test their ability to spot a phish in their inbox. Paired with good reporting, this allows you to identify risk in your organization and track success over time.
Additionally, we provide “point of infraction” training - Training at the moment they clicked on a phishing test. This gives you the ability to do two things:
- Train the employee at the exact same time they’re realizing the mistake they made, making the training incredibly relatable
- Train the employee quickly and efficiently, allowing them to get back to doing their job
Tracking phishing test failures against those who actually reported the suspicious email gives you a great understanding of where you’re at on your risk reduction journey.
Phishing testing is an important way to show progress in a security awareness program, as the alternative phishing-related KPI to track would be in terms of things not happening (i.e. data breach, phishing attack) versus actual trackable results.
Make it Personal
We as security professionals are both experts and passionate about cybersecurity. Your employees are neither, and this is important point keep in mind when training. If you assume employees will care about security by default, you’re wrong. You need to make it personal.
Here’s how to go about doing that.
When delivering security awareness training, you have to operate under the default assumption that nobody cares. This allows you to meet the employee where they are in their security journey and make them care.
Additionally, the whole security awareness program should be positioned as a positive experience. Like I mentioned earlier, help them understand the reason behind the training, and that this is not a punishment-based experience. Employees should be hesitant to click on suspicious emails not for fear of firing, but for motivation to keep everyone secure.
Make it Relatable
If you've ever seen poorly done security awareness training at your company before, you know how uninspiring it can be if the training doesn't relate to the audience. It usually goes like this: You give some background on cyber-crime, tell them about why training and awareness is important, give a few examples of big-name companies that have been breached in some way or another, but always conclude with something along the lines of “And we won’t let that happen to us! Now take this training.”
It doesn’t work. Employees remember nothing after these presentations (researchers have proven this) and frequently fall victim to phishing tests and other cyber-attacks. This is because the training they receive usually feels as though it was written for someone else, like a patient opening a pamphlet on how to detect certain types of cancer. Employees need to feel that security awareness training is “for them,” and not just a way for you to check a box so your compliance manager is happy.
To do this, take the same security awareness training material and craft it into scenarios that employees can relate to. For example, instead of talking about different types of cyber-attacks in the context of companies being breached left and right, talk about them in the context of a friend who has fallen victim to malware. Make it feel more like you are talking to employees individually than trying to address an entire company all at once.
Make it Engaging
To make training relatable to your employees, your security awareness training should be engaging, non-patronizing, and often humorous. You can relate to employees by comparing complex security topics to everyday situations. Reference well-known news stories of breaches and explain how they happened, or, the most effective tactic, give your employees tips for personal security.
Employees are much more likely to take security seriously when they understand how it affects their personal lives as well. Show employees how to practice good password safety, change their wifi passwords, and update software on personal devices.
Finally, one of the pillars of psychological security is to tell stories. Narrative storytelling blows a PowerPoint presentation out of the water. People don’t remember facts and tips nearly as well as they remember stories and feelings.
Employees should always be encouraged to ask questions, which is another reason good security awareness training includes humor. The training is much more likely to stick if you actually make them fun and engaging for employees.
Get Top-Down Support
This is imperative to really any company-wide initiative, but even more important for a security awareness training program. Get buy-in and support from the top executives in your company. This is very important for two reasons:
- If they don’t take it seriously, the rest of the company won’t either.
- Executives should receive phishing simulations as they are the biggest targets and often the most impersonated people in the company by hackers.
Culture is created at the top. Encourage your executives to validate your program and practice positive security behaviors. Other employees will see that security awareness is to be praised and will follow.
Provide feedback loops and rewards.
It’s also important that you provide something back to employees for completing training, whether it be points, badges, certificates of completion (for which they can print out and put on their office doors to show visitors), or something else. This “something else” could be teaching the same training again in the future, but with a different presentation that makes it feel new and interesting.
Make it easy for your employees to take training when and where they want to.
Whether a company takes a formal or informal approach, there should be an element of user-friendliness within the security awareness program so that employees aren’t waiting forever and day for new training or tests to come out. Security awareness programs should be engaging and fun for the employees, almost like a game. To this end, it should be easy enough to where an employee can complete training at their convenience, whether that means completing the same training document in multiple sittings (e.g., on their work computer one day, then on their laptop another), or simply taking follow-up tests on their lunch break.
Socialize security awareness within the company culture.
Employees are more likely to participate in security awareness training if they see other high-level employees taking part in it, too. This is why you should be promoting it throughout all levels of the company; from the Chief Information Officer and CISO to directors, managers, and even the C-suite.
Give employees the chance to provide feedback.
Last but not least, asking your employees for feedback on how you are executing (or could execute) your security awareness training program is key to ensuring its success. They’ll be able to provide valuable insight and recommendations that any other employee would struggle with, because they actually know what it’s like to take the training and be on the receiving end of a phishing email.
Measure What Matters
Not only does your security awareness program need to be engaging (and in a way that employees don’t see it as a one-off chore they have to do), but you should also track and measure how effective it is with employees. This is where a dedicated security awareness training platform will come in handy, allowing you to see the number of employees that fell for various “tests” and what links they clicked on. This way, you can test everything from headline copy to body content of your security awareness training program.
One surefire way to know if your security awareness program is successful is by tracking your training completion rate and seeing how many employees are scoring high enough to show that they understand what you’re teaching. This way, you can determine if the content of your training is staying relevant and fresh.
Security awareness programs have evolved with the times; today, they aren’t a box that gets checked every now and then, but rather an ongoing platform that you can use to keep track of employees’ understanding of cyber-security principles. Use these tips as a guide for creating your own security awareness program; it all starts with the first step!