The dawn of human-centric security is upon us. That sounds like the opening of an epic film, but this is the situation we find ourselves in; cybercriminals have chosen the path of least resistance – the human being.
In 2018, phishing was still the number one way that malware infections entered our computers and networks. Microsoft recently surveyed the situation to find how out just how wide-spread phishing scams are. In doing so, they looked at more than 400 billion emails across 1.2 billion devices. What they found was shocking: 53 percent of all email threats are phishing-based of which 75% contain malicious URLs.
The weapon at the disposal of our organisations, to counter human-centred cybersecurity threats, are our staff. But how do you successfully implement a security awareness training programme?
Components of a Great Security Awareness Training Programme
So, what are the different aspects of a successful security awareness training programme? One thing is for sure, any programme that involves staff across your organisation as a whole should be a process. Below we have collated the key areas to consider when building a successful programme of awareness:
First things first, security awareness training is about people
Security awareness is about people, first, foremost, and finally. As such, it needs to be interesting, accessible, and meaningful. And,the programme you choose needs to put people first. What does this mean?
First off you need to understand what you want to get out of the programme. What teams will be involved, and do they need specific issues to be dealt with? For example, your accounts department might need more focus on issues such as Business Email Compromise (BEC) than other departments.
Mapping out your security awareness expectations across your organisation is a good place to start as can see where and what you need to focus on.
Once you understand the scope of your security awareness programme you should look at how to convey the training.
Human beings learn best when told a story. Story-telling and learning go way back. In fact, research has shown story-telling to be vital in any learning process.
When you pick a security awareness training package, choose one that uses story-telling and engages your staff directly; interaction also augments storytelling to make learning more effective. And most of all, make sure the programme is actually fun. No one wants to sit through mind-numbing security content. They will simply switch off, or worse, rebel against the training.
Get management buy-in
You won’t get very far unless you have evangelist behind the idea of security awareness – that is especially helpful if they are at the very top of your management chain. You will need their patronage and funding to take the training across your staff ecosystem. This is a fundamental part of your security awareness training implementation. Presenting your ideas and the power of awareness training in controlling cyber-threats, is a process. Check out our “Five Easy Steps to Project Cybersecurity Onboarding” to see what you can do to make sure you get management buy-in for security awareness training.
Asking for budget
Presenting the case for funding a security awareness training programme is part of making your programme of security awareness successful. Of course, you want to get the most cost-effective package available. But it should also be able to show success. You will need to create a compelling and evidenced story to present to the company purse-holders to get them to fund your training needs.
Fortunately, there is plenty of evidence to show that security awareness training work.
Read our post on how to get funding for your security awareness training package.
Fit it to your security policy and security regulations
You can add weight to your awareness training by making sure it is included in your security policy. Prevention of security exposure is not a point solution anymore. Keeping an organisation safe is about the entire business, including its people. Make sure that the policy reflects this and includes awareness training as a fundamental part of your security strategy.
As part of this step, you should also align the security awareness programme to certain business/industry issues. This then also map the training back to regulations and compliance around data security and privacy. Several regulations, including GDPR, now encourage or even mandate the use of security awareness training.
Keep on being security aware
Regular updates are very important in the success of a security awareness training programme. The cybersecurity landscape will not stand still. One of the novel aspects of the cybercriminal community is its ability to be agile and evolve as conditions change. Security awareness training vendors also need to be agile and update training packages, as and when needed. This means that your organisation needs to choose easy to access packages that can be updated regularly to reflect the current cybersecurity landscape. For example, at The Defence Works, we create brand new Interactive Episodes every single month, based on recent, real-life events.
Many security awareness training vendors will talk about using metrics. This is useful to give you feedback on how well the training is going. For example, if you are using phishing simulations with your staff, are those staff clicking on fewer links after the training. These metrics are automatically generated by the programme you use. However, the feedback from the staff using the programme should also be encouraged. If your staff are finding it useful, they will let you know. But also make sure to use an open-door policy when running security awareness training – allowing staff to openly discuss the merits or problems within the training, can help make it more applicable and more effective.
Putting a security awareness training package into action is a process that needs the input and acceptance of the entire organisation. This may seem like a big task, but if you break it down into the component areas it can make it easier to achieve.
Want to launch a security awareness training programme your employees will thank you for? Check out the trailer for our Interactive Episodes:
Sign up for a free demo and find out how we’re already helping organisations just like yours.