by Andrea Lee Taylor
3:35 min read
When the training of employees becomes your next step in securing the organization against human risk, where do you begin? We've chosen to partner with Wombat because of a storied history of helping with just that. Take a look at a few of the considerations from their blog.....
Security Awareness Training: Best Practices to Consider
by Gretel Egan | January 16, 2018
When it comes to security awareness training, each organization's program is likely to be, at least slightly, unique. In fact, we encourage organizations to put their own stamp on their cybersecurity education initiatives in order to reflect specific policies and elements of corporate culture. That said, we have identified several elements that are common threads among the most effective programs. These are the key components to consider as you plan your initiatives:
The most successful security awareness and training programs not only have top-down buy-in, they have top-down participation. This is simply because an all-in approach is the best — if not only — way to build an organization-wide culture of security in which good decision-making and application of cybersecurity best practices become daily pursuits for end users at all levels. When certain groups, locations, or individuals are excluded from a program, it is more difficult to encourage a mindset in which all employees feel equally invested in improving cyber hygiene.
C-level executives, board members, and managers absolutely should be communicated to early and often with regard to the vision and progress of your program. But end users should also be regarded as stakeholders — a factor that organizations can tend to overlook (to their detriment).
It is critical that employees understand the value and purpose of cybersecurity education before they ever receive a training assignment. And as a security awareness and training program continues, end users should remain clear on what is happening and, more importantly, why it’s happening and how they fit in.
Baseline Vulnerability Measurements
The premise of this recommendation is simple: How can you know how far you’ve come if you don’t know where you started? Baseline assessment scores — related to phishing susceptibility and cybersecurity knowledge levels — allow you to mark your starting point and gauge progress. But it’s also a good idea to take note of other metrics — like rates of malware infections and successful phishing attacks from the wild — before you begin employee awareness training. You should see a reduction in employee-driven cybersecurity incidents over time, which is a good indicator of program success.
Regular, Ongoing Assessments and Training
To change mindsets and reduce the mistakes and risk associated with end-user behaviors, cybersecurity must become a regular pursuit. Occasional phishing tests and once- or twice-a-year training simply will not be enough to raise awareness and help your employees learn how to apply best practices. To develop new skills, end users must be given the benefit of regular cybersecurity education and the opportunity to learn over time.
Creating a Clear Link Between Assessments and Training
As is reflected in our Continuous Training Methodology, we make a clear distinction between assessments (like simulated phishing attacks and question-based evaluations) and training. These two types of activities work most successfully when used in conjunction with one another. A phishing test, for example, is an excellent way to motivate employees to complete follow-up training. However, it’s critical that these initiatives are clearly linked, with a small window of time between assessments and training. After all, if you send a phishing test in January and then send an anti-phishing training assignment in October, the logical connection between those two activities is lost.
We’ve regularly spoken about the need to reinforce key messages with end users. When you revisit topics on a regular basis and incorporate ongoing awareness activities, you help to keep cybersecurity best practices top-of-mind for employees. Without reinforcement, you are put in the position to regularly rebuild — rather than build upon — a cybersecurity foundation.
Consistent Tracking and Reporting
As is reflected in the Data-Information-Knowledge-Wisdom hierarchy, data is helpful, but wisdom should be your ultimate goal. As such, it’s important to choose security awareness and training tools that do more than churn out data for data’s sake. Seek instead tracking and reporting capabilities that give you access to value-add data that ultimately translates to actionable business intelligence.
We’ve seen a number of organizations generate great engagement and results by applying gamification techniques to their programs. We strongly believe in using rewards and positive reinforcement to raise end-user interest and participation; in fact, our reporting features, including our Training Leaderboard report, are designed to help organizations track successes at the individual and department levels and more easily apply gamification to their programs. We do recommend exploring this option if it's supported within your corporate culture because it can elevate the effectiveness of your program.