When you want to create (or revive) a strong culture of cybersecurity, security awareness training for employees is the best place to start.
The challenge is cybersecurity threats evolve constantly, so your cybersecurity countermeasures must change constantly, too. Certain basics remain the same, such as not writing your password on your workstation, but your training must be responsive to any new cybersecurity threats as those threats come along.
That’s why cybersecurity awareness training for employees should be an ongoing practice. For better or worse, the business world always seems to have a new example of some data breach or other cyberattack to discuss, so holding cybersecurity awareness training on a regular basis makes perfectly fine sense.Let’s take a look at five steps you can take to bring cybersecurity training to your employees:
- Assess. What are the main cybersecurity awareness training topics your employees need? (Hint: the ones that match your biggest cybersecurity risks.)
- Establish. What type of cybersecurity awareness training program do you need and what does it look like?
- Interact. Keep your training current. For example, it should address new issues such as COVID-related remote work.
- Schedule. Put the training on the company calendar for the rest of the year.
- Create. successful companies have a strong culture of cybersecurity awareness throughout all departments and locations.
Assess the main topics of cybersecurity awareness training.Before you begin to put together a training program, start with a baseline assessment. What do employees know about cybersecurity? Do any persistent myths float around among your staff? Do people know where to go when they have cybersecurity questions? Once you have a basic understanding of employees’ awareness of potential cyber-attacks, test that knowledge with a simulated phishing attack. The point here isn’t to shame the employees who fall for it; instead, use the results of the simulated attack to demonstrate why you need a cybersecurity training program. Make the phishing simulations fun and engaging, and be clear that the simulation is only the first step toward a full-fledged cybersecurity training program you’re creating. You might also test employees with a survey or quiz developed with your IT department. Either way, you’ll quickly discern how vulnerable your company is. It’s important to build trust during this part of the process. Clarify that human error is common and that there are no repercussions for speaking up about an IT or data security issue.
Establish how the cybersecurity awareness training program should work.Once you assess employee knowledge, target the areas where your organization needs information security strengthening. An efficient training program advances the knowledge of the topic at hand and introduces new concepts (for example, social engineering) to your staff. Explain to staff that cybercrime is common and costly so that employees understand the urgency of the training program and don’t dismiss it as a waste of their time. Schedule regular training sessions throughout your work year. Give each one a concise focus, such as malware, social engineering, or firewalls. Decide which training form works best for your circumstances. Studies have shown that brief group-based, in-person training sessions are an efficient way to impart knowledge, although in a pandemic a group setting isn’t necessarily possible. In that case, consider recording training courses online for employees to watch; then follow up with an online meeting for questions and conversation with end-users. As you establish a cybersecurity training program for your employees it’s very important to include a part about how and when the training program must be updated. Remember, to be efficient your training must be responsive to any new cybersecurity threats as those threats come along. Establish a clear internal chain of command for how cybersecurity concerns are reported, and do your best to create an assessment tool for when a new threat reaches a magnitude where it requires a new training module. It may be a good idea to give this last task to your incident response team, as it is the most likely to be very aware of emerging threats and new malware.
Interact: keep training up-to-date and engaging; address new issues such as COVID-related remote work.Many people find lectures boring and get distracted by personal devices chiming out new alerts all day long. Most of the ways to enhance memory and information retention involve the trainee participating in active processing, for instance by relating the topic presented—say, common social media scams—to something the trainee already knows how to do, like use Facebook. Interactive learning methods include:
- Small break out groups
- Q&A session
- ‘Gamification’ of training
- Staging physical security situations
Schedule training on the company calendar and make it mandatoryMeaningful security awareness training cannot be done in one session. The goal is to have cybersecurity and security risk awareness become a common, expected part of your company’s routines. Hence you should schedule ongoing training. Busy employees may grumble about the time commitment, so be prepared for questions such as: Why should someone who’s never had a password issue sit through a training on password security? How do you expect remote workers to participate, and why should they if there have been no security incidents? Make sure the training content will answer these questions, and communicate that the training modules will not be a waste of time. The easiest way to win support for new training courses is to lead by example: make sure everyone from the CEO to the front desk clerk participates. When everyone is involved, employee awareness will grow by leaps and bounds.
Create a strong culture of cybersecurity awareness throughout all departments and locations.Ongoing security awareness training matters because it helps to create a corporate culture of awareness. Repeated training sessions convey the message that security matters greatly to your company. Remember that employees must often “unlearn” unsafe practices they use at home, and learn new ways of recognizing a security risk at work. It’s important that your training happens in an environment of trust and honesty, where nobody is afraid to speak up. Establish a chain of command to make it easier for employees to report a cybersecurity incident, and create easy-to-use templates for new projects or workflows. Part of the chain of command should be an incident response team that can be activated when a security incident materializes. In his Forbes article, “How to Build a Great Company Culture,” Todd McKinnon of Okta identifies six parts of building a strong corporate culture:
- Executive leadership needs to assign an owner of the training;
- Set the tone that the training is important and mandatory;
- Create an organizational structure that drives it;
- Hold off-site or online trainings;
- Prioritize and focus what the training topic is;
- Communicate with everyone involved.