Cyber criminals are increasingly preferring to target employees as a way to gain access into company networks and systems, instead of struggling to overcome expensive complex technical security controls put in place to stop them in their tracks.
For this reason there is not currently an industry (or Government) recognised cybersecurity standard, or guideline, that doesn’t recommend the training of end users with some form of cybersecurity awareness programme.
Training your employees on how to follow basic security policy, identify suspicious emails and behaviour, and report any problems they encounter or suspect will significantly reduce an organisation’s cyber risk.
Developing a strong cybersecurity culture in the workforce should be the end result for any successful awareness programme. This is much easier said than done for those given the unenviable task of trying to accomplish this result, so here we provide tips on how to build a successful cybersecurity awareness programme…
1. Use a Mixed Bag of Training Tools and Content
Design a training programme that uses a combination of training techniques to keep employees engaged. Interactive eLearning modules, simulated phishing campaigns, awareness messaging campaigns, micro-modules and culture assessments are all ways to establish foundational security knowledge but also reinforce that knowledge and keep your staff engaged. Avoid only focussing on a single form of training.
2. Continuous Training Works
To change mindsets and reduce the mistakes associated with end-user behaviours, security must become a regular pursuit. Once-a-year compliance training simply will not be enough to raise awareness and help your employees learn how to apply best practices. Use bite-size training to give your end users the benefit of regularly revisiting key cybersecurity topics to encourage knowledge retention. Without reinforcement, learners are put in the position to regularly rebuild – rather than build upon – a cyber security foundation.
3. Culture Development Through Marketing
Work with your company’s marketing or communication team here. Design security awareness messaging campaigns to keep the subject front-of-mind throughout the year – this is security marketing. Exactly the same approach as the top consumer brands are taking, awareness programmes should be designed to influence the user’s decision making process that benefits the advertiser. Design it to get your users to make better security decisions.
4. Early Communication and Support
For any workplace culture to be successfully developed and maintained it requires support and buy-in from the leadership team and key stakeholders. Communicate your programme plans, timelines and objectives early on with your executive team and those stakeholders who will be integral to its success, such as department managers and tech support. Don’t neglect to keep your employees in the loop – they are ultimately one of the most important stakeholders in any awareness programme and the better they understand the reasons for and benefits of the programme, the better they will support it.
5. Keep It Personal
Cyber security awareness may not be the sexiest or most exciting of subjects so the more your employees can relate with the training, the more engaged and responsive they will be. Emphasise that good security practices should also be shared at home to help keep their families and personal lives safe online. Good cyber hygiene at home will translate to good cyber hygiene in the workplace.
6. Use the Carrot Not the Stick
Gamifying your security awareness programmes is a great way to get all employees involved and engaged. Departments and individuals can be rewarded on scoring systems built into the training modules and assessments – incentivise behaviour such as high scoring on knowledge assessments, training completion times and rates, and phishing email reporting. Make cybersecurity training fun and competitive and behaviours will change in the process. Avoid singling out and punishing employees that are regularly failing knowledge assessments or phishing tests, never assume that because you find the subject easy to understand and implement that all employees also will. If employees are consistently failing, then take the time to close the knowledge gaps.
7. Have a Robust Reporting Process
Be prepared for success. As your employees become more educated, aware and confident in identifying potential cybersecurity threats you will see a significant increase in the volume of reporting to the security team or IT department. This will be one of the strongest indicators that your awareness programme is being successful in truly changing behaviour. However, nothing will stall this growth in security culture worse than if the reporting process is poorly managed, or non-existent. Employees should be encouraged and thanked every time they are reporting in and be made to feel they are truly contributing to the organisation’s security. Be sure to include your incident reporting stats in your Awareness Programme Reports to show progress and return on investment, and be sure to share these reports with the employees themselves as well as the leadership team.
Take the time to adequately plan your security awareness programme before launching it. Whilst finding the right vendors, training platforms, training content and awareness material is very important – unless the programme is well executed and supported, it will fail to change behaviour or reduce your risk.
CybACADEMY courses powered by GoldPhish educate employees on cyber risk and help build a more secure organisation with awareness training.
Its current FREE100 Campaign is aimed at helping smaller businesses get one step ahead of the cyber criminals with free awareness training.