Employees are the weakest link. Policies and firewalls are not enough to secure your data, staff must be regularly trained.
Your organization might have the most robust security program in the world. You may have stringent policies, and the latest and greatest security software tools. You might think your data is safe, but if your employees don’t have the right training or a working understanding of your policies and the potential risks, then all your magnificent defenses can be easily side-stepped.
As many as 81% of hacking-related breaches over the last year leveraged stolen or weak passwords, according to Verizon’s Data Breach Investigations Report, and 1 in 14 users admitted being tricked into following a link or opening an attachment they shouldn’t have.
The sad truth is that your employees are the weakest link in your cyber defenses. They are vulnerable to phishing scams and ransomware. They also make mistakes. Sometimes they don’t fully understand compliance requirements and sensitive data is mishandled.
A security awareness training program is vital and we’re going to lay out some of the steps required to launch one.
Assessing your needs and developing content
Evaluation is an essential first step in developing your wider security program and it applies to security awareness training too. Assess the major risks that you want to tackle. If you’re in a regulated industry, then you’ll want to include compliance requirements. Work out precisely what training is required to meet those requirements.
You may also want to consider phishing attacks, or perhaps low-tech tailgating where someone sneaks into an office behind an employee that just used their badge to gain entry. If you’ve had problems of that nature, then train staff to be aware and ask for credentials when they don’t recognize someone.
When you develop training content, make sure that you lay out some clear real-world examples. Show them exactly what an attack looks like and spell out precisely what they should do if they think they’ve fallen victim to one. It’s vital to define security incidents and lay out a reporting procedure. Communicate your key policies so staff know what’s acceptable on mobile devices, social media, and ethically. If in doubt, ask – is a good rule to drill into them.
Scheduling and delivering training
Most companies will start with an annual training program and training specifically for new hires is the minimum that should be done. Make sure you schedule monthly activities. Weekly may be too much, quarterly is not enough. You should mix the content up and make content relevant to seasonal threats where applicable. For example, e-cards can prove to be a tempting click to make right around Valentine’s Day, so make sure your staff know what suspicious signs to look for.
It’s a good idea to deliver your training via several different methods. Email lists are an easy way to send out content. You should have websites or intranets that staff can refer to when they need to, but it’s crucial that these resources are kept up to date. It’s also very important to have face-to-face meetings. Staff will often resist because they’re busy, but small group sessions are a great way to teach and offer an invaluable opportunity for employees to ask questions.
Testing the effectiveness of your training
When you put in place a new security system, you always want to test to make sure it’s working properly; you should think about security awareness training in the same way. You may want to include tests as part of your training content. Ending each section with a test to determine if your staff have garnered the key information can be very useful. It’s also a good idea to have the odd impromptu test. You might consider sending out a mock phishing email a few weeks after your training to see who falls victim to it, for example.
Tracking and acting accordingly
Testing the impact of your training is important, but you also want to track who completes the training you send out, how much time they spent on it, then measure the impact it has on actual security incidents. If people don’t complete training or fail tests, then they need to be sent for further training and repeated fails should trigger a face-to-face meeting.
If your program is truly effective, then you should see a drop in the number of security incidents. If there isn’t a correlation there, then you may need to rework your training materials and tweak your approach. When new threats emerge you must be ready to work them in and update your training accordingly on a continuous basis.
Train your staff properly and equip them with the knowledge they need, and you will see a significant improvement in your overall cybersecurity.