By Michelle Drolet
Founder & CEO
Ms. Drolet is responsible for all aspects of business for Towerwall. She has more than 24 years of,
Read More4 Minute 3 Second Read
January 10, 2018
Evaluation is an essential first step in developing your wider security program and it applies to security awareness training too. Assess the major risks that you want to tackle. If you’re in a regulated industry, then you’ll want to include compliance requirements. Work out precisely what training is required to meet those requirements.
You may also want to consider phishing attacks, or perhaps low-tech tailgating where someone sneaks into an office behind an employee that just used their badge to gain entry. If you’ve had problems of that nature, then train staff to be aware and ask for credentials when they don’t recognize someone.
When you develop training content, make sure that you lay out some clear real-world examples. Show them exactly what an attack looks like and spell out precisely what they should do if they think they’ve fallen victim to one. It’s vital to define security incidents and lay out a reporting procedure. Communicate your key policies so staff know what’s acceptable on mobile devices, social media, and ethically. If in doubt, ask – is a good rule to drill into them.
Most companies will start with an annual training program and training specifically for new hires is the minimum that should be done. Make sure you schedule monthly activities. Weekly may be too much, quarterly is not enough. You should mix the content up and make content relevant to seasonal threats where applicable. For example, e-cards can prove to be a tempting click to make right around Valentine’s Day, so make sure your staff know what suspicious signs to look for.
It’s a good idea to deliver your training via several different methods. Email lists are an easy way to send out content. You should have websites or intranets that staff can refer to when they need to, but it’s crucial that these resources are kept up to date. It’s also very important to have face-to-face meetings. Staff will often resist because they’re busy, but small group sessions are a great way to teach and offer an invaluable opportunity for employees to ask questions.
When you put in place a new security system, you always want to test to make sure it’s working properly; you should think about security awareness training in the same way. You may want to include tests as part of your training content. Ending each section with a test to determine if your staff have garnered the key information can be very useful. It’s also a good idea to have the odd impromptu test. You might consider sending out a mock phishing email a few weeks after your training to see who falls victim to it, for example.
Testing the impact of your training is important, but you also want to track who completes the training you send out, how much time they spent on it, then measure the impact it has on actual security incidents. If people don’t complete training or fail tests, then they need to be sent for further training and repeated fails should trigger a face-to-face meeting.
If your program is truly effective, then you should see a drop in the number of security incidents. If there isn’t a correlation there, then you may need to rework your training materials and tweak your approach. When new threats emerge, you must be ready to work them in and update your training accordingly on a continuous basis.
Train your staff properly and equip them with the knowledge they need, and you will see a significant improvement in your overall cybersecurity.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |