How to Implement an Effective and Engaging Cybersecurity Training Program
By George Finney, Instructor of the ProThink Learning Course Cybersecurity Habits Every Employee Should Master
More likely than not, you’ve done time sitting through once-a-year mandatory training sessions designed to check a box in a compliance report. Unsurprisingly, this approach to promoting strong cybersecurity practices and learning does not effectively improve a company’s cybersecurity record. The training is boring. Employees tune out because the information isn’t personal to them. Employees don’t engage because it’s only once per year instead of ongoing.
Cybersecurity Wellness not Awareness
Don’t fall into the trap of forcing your employees to sit through dry, uninteresting cybersecurity training programs. Instead, implement a cybersecurity wellness program — a routine and personalized evaluation of employees’ cybersecurity knowledge and health. It’s a multiyear plan incorporating incremental steps toward better security.
Cybersecurity isn’t something you will improve by offering the same thirty-minute course year after year. Proficiency requires continual learning and development, not memorization of the same, impersonal information. So your cybersecurity program should progress every year to help build a community of employees who practice good security both at home and at work.
The Seven Steps to Wellness
While implementing a cybersecurity wellness program may be more involved and complicated than distributing a standardized training program, it is far more effective in establishing strong cybersecurity practices in your company, which is increasingly important as cybercrime was estimated to drain $1 trillion from the global economy. The seven steps you need to adopt your own cybersecurity wellness program as simply and effectively as possible include:
1. Develop Goals and Outcomes
It’s difficult to achieve results if you don’t even know what you’re working toward. Establish well-defined goals and outcomes for what you want your program and employees to achieve in the short-term, about a year, and the long-term. Make sure your objectives are reasonable, achievable, and reflect the needs of your company.
2. Perform Cybersecurity Wellness Assessments
To tailor a cybersecurity program for each employee, it’s important to gain a baseline understanding of each employee’s cybersecurity literacy. Most cybersecurity training programs fall short of achieving real change because they don’t start with an assessment to understand the unique conditions and needs of each person.
Assessments should include questions asking how people use specific technologies, how developed their technical abilities are, and whether they have access to sensitive company information. Since you can’t ask an unlimited number of questions, be careful to choose questions that are good indicators of potential problems. Select relevant questions that will have value year over year in demonstrating how your security has improved or declined.
Also, be aware that there is some danger that the person answering the questions may be just saying what they expect you want to hear, so how you present your questions is very important. Be objective, non-judgmental, and stay away from leading questions.
3. Provide Feedback
Give employees individual feedback based on the results of their assessment. Most wellness programs offer a customized score that helps users understand what they, individually, may need to work on. This feedback is critical in engaging your employees with the program as it makes the training personal to them, and they can identify areas in which to improve. Furthermore, department heads should receive aggregate scores for their areas so they can understand their employee risk profile and recognize patterns on a wider scale.
4. Begin the Training
Using the results and feedback from the assessment, education programs can be custom tailored to meet each employee’s needs and prioritized based on the level each employee is at in their training. Moreover, using company-wide trends, leaders can identify security areas where their employees are largely faltering and focus on developing those abilities in their trainings. For example, if only one-third of your company’s respondents said they backed up their personal computers, training sessions should focus on the importance of backing up data.
Based on what works best for your company culture, conduct your training sessions through the following mediums:
· Challenges: introduce hypothetical situations for which employees must develop an action plan to address, either individually or in teams
· Webinars and brown bag sessions: short meetings for cybersecurity leaders to inform and coach your employees in cybersecurity best practices
· Simulated phishing exercises: create your own phishing messages and randomly send them out to employees, keeping track of who takes the bait and who reports it as an incident
· Social-engineering tests: utilize common social engineering tactics to call employees pretending to be a vendor, salesperson, or a member of the IT staff and attempt to gain from the employee as much information about the company or individual that you can
Your training programs should occur and progress throughout the year. To make basic routines become habits requires the regular performance of those activities. You will quickly find that your employees won’t pick up the cybersecurity habits they learn unless they are asked to perform them more than a few times a year, so make your training sessions regular functions of company operations.
5. Evaluate Your Program
At the end of the year, examine how your wellness program has contributed to the goals you established in step one. Consider the following questions:
· Did the company experience any incidents?
· How did the program impact that incident?
· Can you tie the program back to a reduction of insurance premiums or other savings to show a return on your investment?
Use the information you gained to revise your program for the next year. Knowing what elements worked and which didn’t, what areas your employees are still struggling with, and what new challenges your company faces will allow you to adapt your plan for optimal impact in the following year.
6. Recognize Employees
Employees who participate in the program should be recognized for their learning efforts. When people start to participate and engage in security, keep that participation going by showing appreciation for their efforts. Possible ways to give this recognition include:
· Thank-you notes or emails
· Shout-outs during meetings
· Including their names and stories in a newsletter
· Passing along praise to supervisors
· Annual award ceremonies
7. Repeat
The cybersecurity wellness program is an iterative process, so once you’ve reached the year’s end, start over again with step one. Establish new goals, reassess employees, provide them with new feedback and new trainings, reevaluate your program, and reward participants. Much like physical wellness, your cybersecurity status requires regular check-ups and continual work.
Cybersecurity Starts and Ends with Your Employees
If you asked a coach to name the strongest part of their team, what would they say? The ball? The field? The new cleats or sports drink? No, they would, hopefully, point to their players. Healthy cybersecurity works the same; managers need to realize that the security of their organization only goes as far as the employees can uphold it. So developing a truly effective training program for employees is of the utmost importance to maintain the security of your organization.
