Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
10 Tips for Security Awareness Training That Hits the Target
Try these tricks for devising an education program that gets employees invested — and stays with them after the training is over.
Source: PCN Photography via Alamy Stock Photo
October is Cybersecurity Awareness Month. Now in its 20th year, it is an initiative to stress the importance of understanding cyber-risks and how to prevent costly mistakes that can lead to a breach or data theft. But how aware are your employees? While most organizations (some figures say as much as 97%) provide awareness training, many security incidents still tie back to human error.
How do security leaders know the awareness training they invest in and implement will actually help employees learn?
Here are 10 tips for creating security awareness training that hits the bulls-eye.
One and done annually is not enough, says Lisa Plaggemier, executive director at National Cyber Security Alliance.
"Short but frequent," she says. "No more of this once-a-year nonsense."
Training should be a continuous process. Regularly reinforce key concepts and provide updates on emerging threats. Ongoing training ensures that employees stay vigilant and informed about the latest cybersecurity issues.
Tailor awareness training content to employees' roles.
"People should be receiving training that is appropriate for their roles and the specific risks that affect them," says Plaggemier.
Different departments and job functions have unique security needs. Role-based training ensures that individuals understand the risks and best practices relevant to their specific responsibilities.
Share real-world examples of recent cyberattacks to demonstrate the potential consequences of security lapses.
"Messages use different approaches: storytelling from a victim's perspective, storytelling from the defender's perspective, leveraging current events in the headlines — there's unfortunately always a good breach headline to pull from," says Plaggemier.
Timely examples make the training more relatable and highlight the relevance of the information.
Show employees how cybersecurity practices extend beyond the workplace and are relevant to their personal lives. Discuss common threats people face in their daily routines, such as online shopping, QR codes, social media, or personal email security.
"If you're delivering helpful information that's timely and relevant — travel security tips right before summer vacation season, for example — people will keep coming back," says Plaggemier.
Cover a wide range of security topics, including password management, email security, social engineering, and data protection. A holistic approach also includes elements like company culture, says Kim Burton, head of trust and compliance atTessian.
"Understand the employees," she says. "What pressures do they face? What is the local culture like? What is the internal culture like? What professional backgrounds do these people have? How is the security team or IT team currently perceived internally? Do executives champion security?"
While compliance requirements are important, training should not be viewed solely as a compliance checkbox, says Dr. Jason Nurse, director of science and research at CybSafe and associate professor in Cyber Security at University of Kent.
"Organizations often focus on compliance and meeting the basic requirements, which may result in training that lacks depth and engagement," he says. "Ultimately, the question is, does your organization want to tick the compliance box? Or does it genuinely want to improve security behaviors within its workforce? Hopefully it is the latter."
Focus on building a security culture where employees understand the "why" behind security practices.
Integrate training into the communication and collaboration tools that employees use daily. This approach makes it convenient for them to access training materials and encourages engagement, says Nurse.
"Training should be tailored to each workforce, department, and even person," he says. "Are they more likely to engage with video content? Does engagement increase if humor is utilized? Is Slack more likely to get read than email?"
Training begins with empathy, says Tessian's Burton.
"The security educator needs a deep understanding of the people they are teaching," she explains. "It is never a one-size-fits-all situation, and that shouldn't be discouraging to the educator but a moment to demonstrate that what they're teaching is relevant to the individual."
Also recognize that mistakes can happen, and employees may inadvertently contribute to security incidents. Encourage open communication and foster a nonpunitive culture where employees feel comfortable reporting security concerns. There should also be absolutely no shaming of awareness training participants who may fail a certain element of the program.
In Burton's experience, training is most effective when it works with how people learn, keeps them psychologically safe, and doesn't rely on fear to get the point across.
"Ideally, the educator needs to be aware of what other messages people are receiving from the news or internally that may contribute to what individuals are most concerned about," she says. "The educator needs to be able to speak to those fears while also redirecting the people to the core secure behaviors the organization has identified as the greatest benefit to the business to mitigate risk."
Use gamification elements to make training fun and interactive. Gamified training can include quizzes, challenges, and rewards, making the learning process more engaging and enjoyable.
"Make engaging with security content fun by using your knowledge of how people work and the holistic experience of working at your company," says Burton, who has used several creative programs for training at Tessian. "Make puzzles, encourage curiosity and mystery, re-create the delight of discovery in learning, point out progress, and use positive reinforcement for secure behaviors."
Use gamification elements to make training fun and interactive. Gamified training can include quizzes, challenges, and rewards, making the learning process more engaging and enjoyable.
"Make engaging with security content fun by using your knowledge of how people work and the holistic experience of working at your company," says Burton, who has used several creative programs for training at Tessian. "Make puzzles, encourage curiosity and mystery, re-create the delight of discovery in learning, point out progress, and use positive reinforcement for secure behaviors."
October is Cybersecurity Awareness Month. Now in its 20th year, it is an initiative to stress the importance of understanding cyber-risks and how to prevent costly mistakes that can lead to a breach or data theft. But how aware are your employees? While most organizations (some figures say as much as 97%) provide awareness training, many security incidents still tie back to human error.
How do security leaders know the awareness training they invest in and implement will actually help employees learn?
Here are 10 tips for creating security awareness training that hits the bulls-eye.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024