Done well, effective security awareness training enhances your employees' knowledge of attack vectors and common risks they face daily, all of which can improve your organization's overall defense posture. But awareness training done poorly? That's another story.
While it might check the compliance box, training sessions that lack creativity have the potential to make everyone all the more complacent.
So what exactly does poor security awareness training look like? Let this list of 10 ways security managers can mess it up serve as your guide for what not to do.
Don't Recycle Old Material
If you want users to be interested in what you're trying to teach them, don't expect them to sit through the same material multiple times.
"It's actually pretty easy to identify what you shouldn't do for this year's security awareness training: Look at last year's materials," says Jacob Ansari, chief information security officer (CISO) of Schellman & Co., an independent security and privacy compliance assessor. "If you're recycling the same slides, and the same presentation, and the same quiz, your employees will notice and identify that no one prioritized making this interesting."
Baan Alsinawi, president and founder of TalaTek, an integrated risk management firm, agrees.
"It is easy to fall into the pattern of providing the same training materials and offering employees a class once or twice a year to check the box," he says. "Security training should be based on current information."
Don't Make It Looooooong
Most employees are expected to set time aside from daily responsibilities to complete their awareness training, so respect their time and make it short and interesting.
"Some trainings are too long and cause the audience to check out, while others are simply boring and fail to pull the audience in with compelling stories, dialogue, or gamification," says Corey Nachreiner, CTO of WatchGuard Technologies.
Andy Ellis, operating partner with YL Ventures, suggests putting in place ways to ensure training attendees "watch every second of video before taking the test you've helpfully included to make sure they paid attention. Some computer-based training apps will do this by automatically pausing the video if the user clicks elsewhere.Your users will never just pull out their phone and scroll through Instagram while waiting for the video to end [again], will they?"
Don't Give Everyone the Same Training
Employees perform different tasks and face different threats. So why are you training them all on the same types of risks?
"A common mistake is assignment of the same security awareness training to everyone within the organization," says Adam Kohnke, an information security manager at the Infosec Institute. "Matching training to employee roles and motivations, while time-consuming, is one of the most important steps in any awareness training program."
It's also crucial that advice matches reality.
"Telling a salesperson not to open emails from people they don't know is not reasonable and undermines the program by providing irrelevant training," says Mike Gruen, Cybrary CISO & VP of engineering. "Instead, training should focus more on spotting suspicious situations, how to report when something is odd, and what they should do if they think they made a mistake."
Don't Forget to Follow Up
So what did employees think of the training? If you don't ask, you're missing an important part of awareness.
"Not getting feedback is a big 'don't' for security awareness training," says Nick Santora CEO of Curricula, a security awareness training firm. "You need to get buy-in from your employees and feedback from them on what they're learning and what they're missing because that will shine the light on potential vulnerabilities leading to a breach."
You should also be regularly engaging with employees about how they feel about reporting incidents.
"In every training, you tell users to whom they should report incidents," YL Ventures' Ellis says. "That part of your security team is probably the lowest-paid part; they might respond with a form letter that includes suggestions on being more aware. And then, of course, nothing further happens. The user who reported it learns that a few hours after the report, a fellow user did fall for the same social engineering attack and wonders why they'd bothered reporting it, since apparently it didn't help."
Don't Train Only Once a Year
One annual training is probably not enough to see any real improvement in awareness, says Sai Venkataraman, CEO of SecurityAdvisor.
"Irregular security awareness trainings offer no measurable ROI outside of fulfilling a compliance mandate," he says. "Employees' ability to identify and remediate cyber threats diminishes over time, so organizations who conduct trainings only once a year will rarely see positive user behavior changes."
Don't Shame Users Who Make Mistakes
Training should always be an experience that helps employees learn without feeling bad. And if mistakes are made after training, use them as an opportunity to help workers understand.
"It's human nature to make mistakes," says Tim Sadler, CEO and co-founder of Tessian. "Don't shame employees for making and reporting mistakes. Companies should create a security culture that encourages employees to report their mistakes to IT. Otherwise these mistakes will continue happening – but without visibility into how or why they're happening."
Victim-shaming is not a valid training tactic, Cybrary's Gruen adds.
"These attacks are getting more clever all the time," he says. "They change tactics regularly. Anyone is susceptible, so blaming victims just makes people less likely to come forward when something bad may have happened."
Don't Forget the Why
Why are we doing this training? Employees should not only understand the attack vectors they face, but why security is so essential to a business.
"Many organizations fail to communicate clear goals and objectives," says Kurt Risley, head of appsec education at Checkmarx. "If employees cannot fully grasp why security is important, what appropriate security posture looks like, and how the success of the security solution can be measured, they are less likely to gain anything meaningful from a training program."
Adds Mary Galligan, Deloitte's US cyber crisis management leader: "Employees need to be educated on the threats so that they understand the threat of clicking on links, visiting websites or engaging with removable media."
Don't Overlook End User Empowerment
End users are much more than just a security liability. Let them know how important they are in defending the company from attacks and breaches.
"Don't view employees solely as your organization's biggest cybersecurity risk. They can also be the best defense against some threats," says Deloitte's Galligan. "Creating and fostering a cyber-aware organizational culture in which everyone feels responsible for cybersecurity can really improve cyber-risk management efforts."
Sometimes what speaks to a person about staying safe online in their private lives translates to their work lives as well.
"Some of the most productive training I have led is around arming folks to protect themselves and their loved ones online – then reminding them they need to apply that as work as well," says Steve Winterfeld, advisory CISO at Akamai.
Don't Dismiss the Value of Buy-In
Focus on getting everyone – from employees to company executives – to believe in your efforts. If everyone isn't convinced of the importance of awareness, few people are going to support your mission.
"Don't talk facts, figures, and numbers to your CEO or CFO; tell your fellow execs how it would impact your organization specifically if an incident would happen," Curricula's Santora says. "Tell them about the investment using a story. This concept can also be utilized by infosec pros to get buy-in from their employees."
End user buy-in is huge, he adds. "If your employees hate the training, then they're not actually going to learn what to look for in a phishing email," he says.
Don't Create a Culture of Apathy
Recycling old material and using a long, boring, annual training course without proper feedback and follow up sends one message: We are apathetic about security in this organization.
"The path to getting your users away from apathy and toward engaged awareness is demonstrating that you value their time," says YL Ventures' Ellis. "Separate compliance training out into a minimalist approach, and provide meaningful, targeted training to support teams where they need help. Make rapid response a hallmark of reporting incidents to encourage teams to share."