Cyber threats can affect anyone in a company, so cybersecurity shouldn’t be one group’s responsibility. To reduce the risk of cyber threats, all employees must contribute to the company’s overall safety. Security awareness sets the foundation for making everyone cyber-aware.
Adopting security awareness training will be an investment in time and money. But because attackers continue to target SMBs, with ransomware in particular having disastrous impacts, it’s worth it to keep your business safe.
Let’s look at four tips for delivering great security awareness training and how to make it meaningful well beyond when the class ends.
1. Capture Employees’ Interest
Because security awareness is vitally important to the business, create or look for a course your employees won’t groan over. The course should be mandatory, so find a way to grab their attention and keep their interest throughout.
Emphasize that antivirus software, firewalls and other security technology stop many threats, but no solution is perfect. And attackers are clever. They constantly come up with new ways to breach technology. Help your employees understand the critical role they play in protecting company information and systems, especially when it comes to malicious links and social engineering.
Ideally, the course should be accessible online and on demand. Each employee can then complete the course when their work schedule permits. While managers should set a deadline for completion, give employees the flexibility to work through the course when the time is right for them.
The course should be highly engaging and easy to complete with bite-sized modules, relevant images, short quizzes or interactive activities. At the end of the training, provide company contact information where employees can ask follow-up questions if anything wasn’t clear to them.
2. Stay In Touch
To reinforce learning and keep security awareness top of mind, send an email to all staff every two to four weeks to remind them of the real-world risks and threats. An email from the business owner, CEO, CIO or an IT lead can have a great impact.
These emails don’t have to require extensive effort; they can be short and simple. For example, send the highlights of a news article about a breach caused by an employee downloading unauthorized software from the Internet. In addition to highlighting newsworthy stories, emails can offer tips for avoiding a ransomware attack, how to spot a social engineer and what to do if you think an attack is approaching.
3. Make Security Personal
Everyone wants to feel successful. Consider awarding a quarterly prize (or pass a trophy) to an employee demonstrating the best effort to thwart a security breach. Feature that employee in the company newsletter or website to underscore your appreciation for their diligence.
Keep in mind that most employees don’t intend to be a security problem, but as we have seen, accidents happen. Even business leaders fall for sophisticated phishing attacks, but repeat offenders need to be dealt with. Your company’s security policy should clearly state the repercussions of having a careless attitude toward security – perhaps a negative job performance review or termination, depending on the circumstances.
4. Check the Effectiveness of Training
Once your employees have completed security awareness training, how do you know if it’s working? How do you gauge whether employees are following the best practices they learned?
One method is to send simulated phishing attacks to employees. These are fake emails, made to look as real as possible, that provide a link to some website. In a real phishing attack the website would be malicious, but simulated attacks simply gather statistics on who clicked the link. This will show which employees understand cybersecurity and which ones need additional education. If you lack the resources to perform testing and reinforcement, companies like KnowBe4 and Wombat Security offer simulated phishing attacks as well as training programs at bulk rates.
The success of a security awareness program needs to start from the top. Senior management is responsible for creating a culture of security throughout a company, and for supporting awareness efforts year-round. For instance, a company’s executives should assign an owner and set the “all-in” tone, and then work with the next rung of managers and human resources to ensure training is delivered. Also, employees are more apt to practice good security habits if executives and leaders are actually practicing the behaviors.