Providing security awareness training is always a good idea in your business. The real question is how do you get started and what information should be covered? We’re giving you six things to consider for maximum impact as you implement a successful company security training program.
Start with your policies.
A good security awareness training program starts with clear policies and procedures for your staff to follow. Your security awareness training program should serve two purposes:
1) Educate your staff on the digital threats that exist and the tactics that criminals are using.
2) Reinforce the reasons behind the specific policies and procedures in place in your business.
If you don’t have security policies and procedures laid out for your business, here are some basic policies you need to consider adopting.
- Acceptable Use Policy (AUP): The AUP defines what an employee is and is not allowed to do with the technology resources provided by the company, to include internet access.
- Password Policy: The Password Policy defines the password standards for your company. Include guidelines for password length, complexity, how often passwords need to be changed, and how long you must wait before repeating a password.
- Cybersecurity Policy: A Cybersecurity Policy is an umbrella policy that can address multiple topics. It can provide guidelines for how to handle confidential data, how to protect personal/company devices, safe email practices, and procedures for remote access.
- Bring Your Own Device Policy: A Bring Your Own Device Policy defines what types of devices your employees are allowed to use to access company resources, what resources they are allowed to access, and what security measures must be in place before they can use that device.
Remember that it’s all about the people.
Your cybersecurity awareness training program should not be about simply checking a box. Your program should consist of fun and engaging topics that are relevant to your people. Not only does your content need to be informative, but it must also be easy for your people to understand and execute. The goal should be to inspire dialogue in a safe and open environment. Over time, this type of culture will encourage more conversations and help your staff take their own digital risk seriously.
Cover current and relevant topics.
Having informative material is worthless if it’s not relevant. Every four seconds, a new virus is created. Your cybersecurity awareness training program needs to be updated consistently. Your people need to be educated about the latest tactics criminals are creating to attack businesses. If you fail to regularly update your training content, you might as well skip the training altogether.
Include real-world simulations.
If you want your cybersecurity awareness training program to truly be effective, include a test. Not only should you assess your people on the material they’re learning, but you should also perform random simulated tests. In the real world, your people will be required to make decisions that determine whether the organization gets breached or not. Conducting random simulated testing will condition your staff so they have a better chance of making the right decision the next time they’re faced with a challenge.
Create a method for accurate reporting.
You need to be able to see if your cybersecurity awareness training program is closing the knowledge gap. Detailed reporting allows you to see how effective your training program is and will show you which members of your staff are having the biggest challenges. Then you can provide them with remedial training to help them better protect themselves. Good reporting will also give you the insight needed to optimize future training. By looking at past results, you’ll be able to see what is working well and what can be improved upon.
How often should you be doing security awareness training? In regulated industries, the laws vary on how frequently you should conduct training. Some require it at the time of hiring while others require it annually. At a bare minimum, every business should do security awareness training at least once per year. We recommend that training should be done on a monthly basis. Rather than doing a big training that attempts to cover every possible topic in one sitting, host monthly micro training sessions that focus on one specific topic.
Studies show that, on average, people remember ten percent of what they read and twenty percent of what they hear. This is why annual large trainings are ineffective. Your people are only retaining a small percentage of the material they’re studying in this model, and that assumes the material is easy to understand and follow. Attending monthly micro training sessions covering a single topic, employees have a much better chance of retaining the information and keeping cybersecurity top of mind.
The ultimate goal for a criminal is to get to you- “You” being your digital assets like your financials, your intellectual property, your identity, and even your employees’ identities. They just use computers to get to you. Just because you may know what to look out for doesn’t mean that everyone within your organization does. Don’t let your company become a victim by assuming everyone else is making cybersecurity a priority. Train your people on how to protect themselves so they can do a better job of protecting your business.
Need help finding a place to start when putting together a Security Awareness Training? Our specialists are happy to chat with you and identify ways we can help you keep your business safe and secure.
Want additional resources on cyber security? Check out our full resources archive.