Security awareness and protecting company systems and data from threat actors are top-of-mind considerations for C-suite executives and their IT advisors. These issues may not be as top-of-mind, though, for other employees—even for some managers and supervisors.
That’s why security awareness training is so important. But not all security awareness training programs achieve desired results. Here are items to consider when setting up your security awareness training program.
1) Security awareness training is an ongoing effort
Many companies provide security awareness training during employee onboarding and, perhaps, once a year after that. That’s not enough. It takes an ongoing series of events, activities, and communication outreach to instill a sense of accountability among employees to the organization’s security culture. Not just one-way communication either, but opportunity for conversations that can help make a positive difference on employee behaviors.
2) Positively impacting behaviors
It’s not enough for employees to simply be aware of the safety and security risks they may encounter. Their behaviors also need to change to help protect systems and data. Information will be a part of any security awareness training initiative, but information alone is not enough. The most effective security awareness training programs will focus on changing employee behaviors.
This can be done by placing employees in situations where they will actually be exposed to some kind of security breach where they must make a decision, or take an action, to minimize or eliminate the risk.
For instance, conducting phishing simulations is a good example of how companies can randomly present employees with challenges that expose them to potential risk and test their responses. Over time, these tests will help keep security top of mind while improving employees’ abilities to detect sophisticated phishing attempts.
3) Make communications engaging
We’re all familiar with the typical bland and boring IT policies and guidelines presented in dense paragraphs with small fonts and no attention paid to visually interesting graphics.
Here’s where a coordinated collaboration with marketing and communications can pay big dividends. Your security awareness communication materials, after all, are marketing materials—materials designed to change employees’ thoughts, awareness, and actions related to cybersecurity.
Taking the time and effort to produce quality communication materials can improve engagement and retention.
4) Avoid a one-size-fits-all approach
Your IT staff members don’t need the same kind of information and communication materials as front-line retail staffers. New employees have different communication needs around security than those who have been with the organization for years. Disengaged employees will require a different approach for communications to resonate fully than engaged employees.
In short, to be effective, your security awareness communication efforts will need to be varied to meet the varied needs of different employee segments.
In addition to any traditional communication materials you may create (e.g., policy documents, posters, etc.), one way to help achieve a more varied approach to address individual employee needs is through on-demand information and training that employees can access when, where, and how they prefer. This could include anything from infographics, to FAQs, to podcasts, webinars—even TikTok-style videos.
The tone of these materials may vary as well. For instance, programmers or coders may prefer a more technical and straightforward approach, while customer service or sales reps might appreciate something lighter and more entertaining.
5) Catch them in the moment
The best place and time for learning to occur is at the moment employees need the information. When information is delivered as close as possible to the time of need, it will have more impact. These moments of need will vary based on employee role and function, but might include things like setting up new passwords, learning new system requirements, compliance mandates, etc.
6) Leverage multi-channel marketing techniques
Just as your marketing colleagues will use multi-channel marketing campaigns (that communicate via text, email, web, mobile, social media, print, etc.) so should you plan to deliver your security awareness communications through a wide range of channels.
Changing attitudes and behaviors takes time and repetition—just as marketers have long achieved this same goal by repeating their messaging again and again using different channels, both traditional and digital.
7) Measure to make it matter
“What gets measured gets managed,” is an axiom attributed to management guru Peter Drucker. It’s an important point. If you’re not measuring the effectiveness of your security awareness communication activities you’ll never know if you’re making a difference or wasting effort by pursuing ineffective tactics.
Establish a baseline, identify ways to monitor progress, check performance regularly, and work diligently to close any identified gaps.
Not all security awareness training programs are created equal. Make sure yours gets the results you’re looking for by incorporating these seven proven best practices.
