Often when customers approach us, their existing security awareness training is spread very thinly. It’s trying to cover it all and includes assets and focus areas across every part of security and the organization. Organizations want to train for everything, and so they struggle to effectively train for anything. Here are our three best practices for turning this around, and creating a security awareness program that yields results.
1. Focus on the Most Important Threats
To kick off an effective security awareness program, your organization first has to identify what the highest-risk issues are for your business. Focus down on one essential need. Industry experts will agree that the largest threat to today’s organizations is phishing, as nearly all cyber attacks start with phishing emails. This could be a great way to narrow down security awareness training and start strong.
2. Align Your Training by Employee Need
Training by design is often very theoretical, and isn’t aligned with real-world risks, or targeted to real-world employees. You need to factor your employees in when you’re setting up an awareness program and think about their unique role in the company, their experience, culture, and geography, to name just a few examples.
3. Ensure Security Training is Continuous
If you can keep your security training awareness program happening each and every month, across the whole organization, this is how you start to see results. One-off training or an annual session just won’t cut it. Once you start to see behavioral change across the organization, then you know it’s time to start working on the next issue inside your organization.
Now that you know the three best practices, to be focused, targeted, and continuous, how can you use these to make your awareness program successful? We believe it’s all about understanding the science behind how people learn, through pattern matching and creating categories.
Moving from Theoretical Learning to Changing Employee Behavior
When your employees get a phishing email, it will be specific. It may appear to come from PayPal, or Netflix, or American Airlines, and you may or may not use that brand, but the email itself is specific. When employees have only learned with theoretical resources, it can be difficult for them to make the mental jump to recognize and categorize the email that has arrived in their inbox as the same problem as they learned about in a generic and non-dynamic lesson, a certain amount of time ago.
This is especially true for non-security professionals and will be the same in any other profession. If it isn’t your territory, it isn’t simple. If you’re a mechanic, for example, you may easily understand that different cars need varied types of maintenance or support, and be able to extrapolate from one to another without any additional learning. If you’re simply a car owner, you’ll need to be told for each make and model what is expected of you to keep it in top shape. This is because mechanics are trained in recognizing patterns in their area of expertise – cars.
When training, we need to light up this part of the brain that’s good at detecting patterns, and that is adept at categorizing people or items into the right groups. The first time you see a red banana or a purple carrot, you might be initially surprised, but by the shape, the context, and the other characteristics outside of color – you’ll be able to put it into the right category and name the product correctly.
Meaningful training can help this happen with phishing so that a phishing email triggers the right classification in our brains, no matter if we are at home, at work, on the move, distracted, or the email has surprising or random context.
At CybeReady, we’re experts in creating these training patterns, following our own three best practices, and making sure that the training that we build is focused on the most essential need, targeted to your own employee base, and more than just a one-off or an annual event.
1. We help each employee to create a classification process in their own minds for recognizing patterns in phishing scams, the largest threat to today’s organizational security landscape.
2. While traditional security awareness training is ‘one size fits all’, CybeReady offers targeted phishing scams for specific employee groups, aligning training with employee needs.
3. 100% of employees get continuous training, 10-12 times per year, adapted to their location, role, risk group, and more.
Added bonus? When these employees get together to discuss security awareness, the organization as a whole may have had 50 or more different simulations, triggering broad learning and a more positive security awareness culture as a whole.
Still struggle to effectively train your employees? Read the full video transcript here:
Fewer practices, more behavior change
Most of our customers approach us after they tried the wide net approach where they train employees twice maybe three times a year in a lot of subjects, but yield no results. What we do is focused on them. Less practices, more behavior change. Here are my three tips on how to kick off your security awareness program in a way that would definitely yield results. The first thing would be to focus only on one behavior the one that is most critical for your security mitigation plan. Let’s say phishing.
Focus on your employees
Second, focus your training on your employees. That is, factor your employees in. Create content that is short, you can consume it in less than 60 seconds. Also, that is actionable and relevant to your employees so they would want to engage with it.
It’s not a one-time effort
The third is to run this continuously. It’s not a one-time effort. You have to train your employees month after month relentlessly. If you do this continuously, by the end of the year, you’ll show results in your organization, and then would be a good time to expand this approach to two or three more behaviors. By doing this, you’re able to reduce the risk, minimize your costs, and create engaging programs.
Want to talk more about making security awareness an organizational priority? Schedule a call with one of our expert security team members.