How to Build an Effective Security Training and Awareness Program
In a time when security is everyone’s business, corporate training programs have a lot of potential to make a huge impact. Our security team shared what they think works best when educating an employee population on being cyberaware.
Don’t Be the Broken Record
Simply repeating yourself isn’t always going to drive the message home, and certainly isn’t engaging when it comes to common cyberattacks that any employee might face.
Take phishing, for example. It’s one of the most common attacks against employees. One report found that 76% of organizations experienced phishing attacks in 2017, and training employees what a phishing attempt looks like bears repeating.
However, how you engage your employees in their training is critical, which means not being too repetitive with your training exercises. Going back to the example of phishing, trying to trap your employees with too many mock phishing attempts can backfire and cause fatigue.
Evangelizing Long-Term Value
Setting up employees to be situationally aware at all times is foundational to building a culture of security. That starts with the culture. Are you making the intrinsic value of security awareness clear? Think of it like volunteering for a good cause to get recognition, versus doing so to make the world a better place. In your security awareness program, are you motivating your employees with compelling reasons that go beyond passing audits and preventing a breach? Enterprise programs should be evangelizing how their participation and education has a direct and long-term impact on themselves and the organization.
Empowering employees with the knowledge and tools to help prevent and recognize cyberattacks is a given, but are you also training them on what to do and who to ask when they think they’ve been a victim of a cyberattack? Do they know what the security team is doing to keep malicious actors out of the enterprise and why certain policies are in place? When people feel like they are an active part of the process, they will be more invested than if they are being told to do something without context.
The fact remains that the biggest attack surface for today’s organizations is its users. While this makes an awareness program incredibly effective for reducing risks individually and collectively, it takes a deep-rooted approach to truly make it stick.
What are you doing in your security program to make your employees cyberaware?