Employee cybersecurity awareness can play a critical role in the prevention of data leaks and malware infiltrations — but organizations have to improve the training they provide. One study found that more than three-quarters of executives believe that employees have accidentally put company data at risk in the past year, but 92% of employees said they had not done anything malicious.
This is typical: people are confident that they know the rules, but there is a gap between theory and practice. Training can make all the difference — if it’s done right. Here are three key strategies for creating a cybersecurity awareness program that works.
- Tailor Training to Different Groups of Employees. Employees with different levels of responsibility, knowledge and level of access to corporate data need different kinds of cybersecurity awareness training. Consider the following approaches for four key groups:
- Employee End Users — Training for non-technical employees should be among your top areas of focus because they are most likely your largest population of workers. Education needs to be frequent, engaging, short and relevant to their job function. Focus on basic knowledge about cybersecurity risks and good security habits while also ensuring they are aware of security policies and best practices.
- The Executive Team — Training for management needs to be more business-oriented: it should include basic security principles but also details about the consequences of security incidents for the business and its stakeholders. Management should understand both the monetary penalties of security failures and the lasting harm to the company’s business.
- IT and Cybersecurity Professionals — Staff responsible for IT security and others with privileged access to IT systems require more detailed training. Focus on situational training and include information about advanced techniques for protecting against cyber threats.
- Contractors and Part-Time or Seasonal Workers – Many training programs forget an important employee contingent: consultant, temporary and part-time workers. Many times, these workers have limited, or even full, access to corporate networks and data. Train these employees during their onboarding process and be sure they are aware of your security policies and expected security practices so that they don’t put your data at risk.
2. Make Training Regular and Test that it Actually Works. Too many organizations provide cybersecurity training only at the time of hire or as a part of an annual update exercise. To be effective, cybersecurity training must be provided in small, digestible units designed to engage the target group of employees. For example, a five-minute training video that recreates real-world situations is more likely to hold a business user’s attention than a hefty IT training manual.
Training should be an ongoing and immersive experience geared toward changing employees’ behavior and attitude. Walk them through the signs of an attack and encourage them to contact the IT department right away if something seems suspicious. Phone numbers and other contact information should be clearly posted so everyone knows who to call.
It’s also recommended that security leaders regularly review employee behavior after the training to see if the lesson is learned. By auditing user behavior, you can detect those employees that continue to violate security policies, provide them personalized guidance, and update your training if necessary.
It’s important, however, to know that auditing cannot equate to surveillance. Don’t, for example, go as far as to send out a monthly list of people who violate policies. You want to inspire appropriate action, not put employees on the spot. Responsible employee behavior should be a result of knowledge, not fear. It’s valuable to share examples of insecure behavior during the learning process, but offenders should never be demonized or specifically disclosed.
3. Vary Your Training Formats. Combining a variety of formats can also make your training program more effective. Here are some options to consider:
- Classroom-Style Training. A key benefit of interactive training is the presence of a real person to explain trickier subjects and answer questions for a whole group. Some companies complement their web-based instruction with live training that utilizes a variety of methods such as role-playing and simulation games, so the interaction is more two-way. Webinars can also still be effective if employees are geographically dispersed. Some enterprises have implemented introductory security training for every new hire before data access is allowed. This is an effective practice. Only after full completion of the security training are new employees onboarded with privileged access and computing equipment. This significantly lowers the security risk for these trained employees and can also dramatically drop helpdesk tickets in the process.
- A Security Awareness Website. So that every employee has a quick resource for any security inquiries, establish and communicate access to an internal website or security portal. This internal site should have a range of sections covering hot security topics including malware, hoaxes, file sharing and copyrights, as well as what to do if a threat has been detected. The site should also have self-paced tutorials for users, with mini quizzes at the end of each section to make sure the material is actually being learned.
Be sure to avoid content that is long and overly technical – especially if you are sending security training and policy content over email. A long, detailed explanation on how to identify a phishing email or social engineering event will not be read – or used. Instead, use brief examples that every employee can understand and relate to, and most importantly keep it fun. Divide your training into several emails and conduct a small quiz after the entire course to ensure that everyone – technical or not – retained the lesson.
- Helpful Hints. Consider supplementing your training with tips and reminders that are pushed to user screens when they log in or at other relevant times throughout the day. These tips can reiterate key points emphasized in the training, such as, “Never keep your password in a place that can be accessed or viewed by anyone besides yourself (like under their keyboard or on a sticky note).” Consistent reminders will keep security tips top of mind for everyone and limit your risk.
- Penetration Tests. It’s smart to assess the effectiveness of your program through regular penetration tests. For example, you can occasionally conduct simulated phishing or social engineering attacks, so you can detect individuals who fall for malicious emails. This will help you refine your teaching practices and pinpoint those that need additional training. You will also see which employees take active steps to report threats through the prescribed channels.
Building a strong cybersecurity culture cannot guarantee you will never experience security incidents. There will always be someone who neglects basic security practices – by accident or not – and puts your data at risk.
Therefore, while cybersecurity training is a great first step for reducing data security risks, you also need to implement procedures and adopt tools that enable you to keep your data and systems under control. Ideally, you want to gain a deep understanding of what data you have and what needs protection the most. And you need to be able to quickly detect suspicious activity around that data. This will help you ensure the security of your sensitive information, thereby saving money and preserving your company’s reputation.