Security Training Awareness: Create A Plan and Track Effectiveness

Alexander Freund

As robust as your organization’s security program, policies, and toolsets are, there is still one vulnerability that even the most secure IT department cannot control – your employees. Cybercriminals rely on the fact that many employees are inadequately trained and underestimate the risks of phishing scams and ransomware.  With over 53,000 security incidents and more than 2,000 data breaches in the past year, companies need to start implementing security awareness training to employees at all levels (Source).

What is Security Awareness Training (SAT)?

Security awareness training is a company-specific education program focused on decreasing cybersecurity risk by making end-users more secure in their use of technology.  SAT helps to reduce issues caused by user error, misconfiguration, and mismanagement by educating users on the most common methods of social engineering being used by cybercriminals, and by clearly communicating and reinforcing the company’s policies on data privacy.  There are many ways that you can conduct security awareness training:

  • Classroom training: In-person training that allows employees to ask questions in real-time
  • Online training: Remote training from any location that allows employees to learn and work at their own pace
  • Phishing campaigns: A campaign that consists of either a single or recurring set of tests that help to determine the most vulnerable users, providing additional training for those that fall for the “phish”

Security awareness training also covers methods for detecting and reporting phishing and includes additional education on a variety of other cybersecurity topics including physical security, desktop and laptop security, wireless networking, password security, and malware. To ensure that employees both understand and abide by company policies, organizations should customize their training based on an employee’s role so that the content is relevant to the employee and the work they do.

How Do I Develop A Plan for Security Awareness Training?

The first step in developing effective security awareness training is by establishing a comprehensive set of cybersecurity policies for your company. These policies should be clear, concise, enforceable, and based on the varying roles in the organization.  They should also be developed with the input and consensus from upper management and reflect current business requirements.

If your company operates in a regulated industry such as healthcare or financial services, you will want to incorporate compliance requirements into the development of the training and determine what training is necessary to meet those requirements. It is also important to show employees real-world examples of a cyberattack and spell out precisely what to do if they fall victim to one.

As aforementioned, there are different types of training that your organization can use to train employees. It is best to deliver training with a mixture of methods, as opposed to only one.  Emailing campaigns keep employees sharp, and web resources are great to have on hand when needed as well. In-person meetings are a way to offer employees opportunities to ask questions and to ensure you have their full attention.

The best way to start your security awareness training plan is by conducting an annual training program for existing employees and mandatory training for new hires.

How Do I Know If My Training is Effective?

The best way to know if your training is effective is by conducting pre and post-testing for training content.  By determining what information needs to be enforced, it ensures that employees retain the information.  Sending out random phishing emails, looking for exposed passwords, or unlocked computers around the office helps to determine how effective your training is.

It is also crucial to track who completes the training, how much time they spend on it, and then measure the impact it has on incidents. If employees fail to complete training or fail tests, then it confirms that they need either further training or an in-person meeting.

If your organization’s security awareness training is effective, you will begin to see a drop in number and severity of security incidents. If you do not see an improvement, then you should revisit your training materials and adjust the approach. It is also important to incorporate new threats as they emerge, and work them into the training to ensure that staff is equipped with the proper knowledge at all times.

Still curious how security awareness training could help your organization improve its cybersecurity risk? Call us today for a free consultation at (305) 278-7100.

Share this post