Phishing was responsible for the highest number of cyber compromises in 2021. As a result, more and more businesses are investing in security training and awareness initiatives.
New evidence proves that regular training exercises can positively influence security culture and enable employees to defend against ransomware-laced phishing attempts and related social engineering attacks.
Having said that, nearly all (85%) of employees are disengaged at work. That’s why it is imperative for organizations to design programs that encourage training participation. Below are nine recommendations that can help:
1) Turn Leaders into Advocates
Everyone expects to see leadership ‘walk the talk’ and equally care about keeping their organization secure. That’s why senior management should actively participate in security training to help showcase their support for cybersecurity resilience. Nothing sells a security program better than noticing how leadership teams actively invest in security awareness and live-out security values.
2) Share Real-World Examples
Textbook training can be boring, but security doesn’t have to be. Humans, as a species, easily learn and apply values that are expressed in stories. That’s why it’s important that team members share their stories of successes and failures. Cite examples of incidents that happened in the past, how they missed early warning signs, how they were identified and in hindsight, what could’ve been done differently to prevent the incident from occurring. It’s always a good idea to show that as humans we are prone to biases and mistakes and even the best of us can be fooled by social engineering. Remind employees to not be embarrassed if they miss something and to always report anything suspicious.
3) Involve a Diverse Set of Team Members
Security is everyone’s business. Having a diverse set of trainers from different departments such as R&D, marketing, HR and sales, has many benefits. It makes training more representational whereby the trainer can describe a relatable use case or provide context that a traditional security trainer may have overlooked. It’s very likely that members of your security team are not the most effective communicators. Involve speakers that can communicate to a diverse set of workers in a manner they understand.
4) Include a Variety of Content
Security programs should consist of a variety of content that includes tabletop exercises, videos, quizzes, simulations, Q&As and short presentations. The idea is to break the monotony, encourage interaction and collaboration. For example, every training should use quizzes. Online quiz platforms (such as Kahoot!) help trainers create gamification in quizzes.
5) Make Training Fun and Rewarding
Training doesn’t have to be dull and uninteresting. Emotion is key to engagement. In fact, humor is known to have a positive effect on training. Reward people for their participation and interaction. Offer prizes and freebies. Give out prizes for answering questions correctly, announce a raffle or a giveaway at the end so that people stick around for the full session.
6) Design for Both Remote and Local Teams
Most organizations today have a sizable remote workforce. Ensure remote workers have an opportunity to attend; in fact, remote workers may need more focused training. If feasible, have a dedicated team hosting the remote community, handling any AV emergency and organizing quizzes, prizes and rewards.
7) Invite Key Vendors To Participate
Vendors will often agree to speak or sponsor (door prizes, food, beverages, etc.) a training event. Vendor speakers usually have credible experience spanning a number of industries and often bring along good content. The idea is not to make a sales pitch but to keep the content security-focused and vendor-agnostic.
8) Manage It Professionally
It’s always a good idea to plan for success. This means creating project timelines, designing communication plans and making sure everyone involved knows what their role is. If possible, get help from marketing or business teams that are experienced in running events. Record the event for those that are unable to attend. Ensure your event is right-sized — not too long, not too short, about sixty to ninety minutes is standard. Educate your audience beforehand on how phishing simulation exercises work, how they help the organization, and the frequency at which they can expect them.
9) Take Risks
The goal is to educate, entertain, and (most importantly) engage. You are investing in a long-term relationship with everyone in your organization. No training will run perfectly, and nobody will get it right the first time. That’s why trainers must experiment with different approaches, tools, exercises and content types to understand what works and what doesn’t.
Finally, never lose sight of key metrics. Metrics will help determine the success of a training program and justify its investment. Ensure you track behavioral changes over time (number of phishing incidents, activities being reported, ratings and surveys) and fine-tune your program where necessary. The end goal of security awareness training is not to check-off another compliance box off the list, but to strengthen the security culture and build a more cyber resilient organization over time.