Is your Security Awareness Program falling flat? Here are three tips to help you perk it up.
Every organization’s security awareness training program should be at least somewhat unique in order to account for specific policies and elements of corporate culture—but flair doesn’t always lead to success. In fact, the most effective programs are those that get the basics right.
Regardless of the industry or market your organization serves, there are fundamental best practices you should consider when implementing cybersecurity education for employees. Following are three relatively simple concepts that are often overlooked by program administrators (to their detriment):
Tip #1: Communicate early and often
When it comes to security awareness and training programs, communications are not just for the C-Suite, board members, and managers. Naturally, these executive-level stakeholders should have a clear understanding of your program vision, how your program will help drive the success of the business, and the progress you’re making as time goes on. But end users also deserve to be counted among your program’s stakeholders.
Make sure that employees understand the value and purpose of cybersecurity education from the beginning, and that the message remains as positive as possible. (It’s a great idea to emphasize that these are portable skills that employees can also use at home—and share with friends and family.) Keep users in the loop as much as possible as the program continues, helping them to understand what is happening, why it’s happening, and how they will benefit.
Tip #2: Think beyond the phish (in more ways than one)
Phishing tests—often referred to as simulated phishing attacks—are an excellent way to gauge employee vulnerability levels. But email-based social engineering attacks are just one way for cybercriminals to enter your organization, and simulated attacks will only get you so far when it comes to changing end users’ behaviors.
Here’s a simple reality: Phishing tests tell you something about clickers. But they can’t tell you anything definitive about non-clickers because there is no guarantee with these assessments that non-clickers actively made the right choice because they recognized the threat. Some did, certainly; but others could have been too busy to bother with the email, might have missed the message entirely, or could have ignored it simply because the content didn’t apply to them. If you are relying strictly on simulated attacks within your program, a word of warning: Today’s non-clicker could easily become tomorrow’s patient zero with even a small change of approach.
To get a better picture of end-user knowledge levels, consider adding question- and scenario-based assessments to your vulnerability evaluations. And to truly change hearts and minds, education—not just awareness activities—must be a part of your program. After all, knowing that a threat exists is not the same as knowing how to recognize and counter that threat when it presents itself.
In addition, as you measure the progress of your program, it’s important to recognize that click rates tell only part of the tale. Other metrics—such as malware infection rates, the quantity and quality of help desk calls, and end-user reporting of suspicious emails—also provide good insight into how cyber savvy your users are in day-to-day situations. Whenever possible, identify your baselines on these metrics before beginning a security awareness training program in earnest. After all, how can you know how far you’ve come if you don’t know where you started?
Tip #3: Keep it going
If you want users to behave differently than they are behaving today, chances are that your organization will need to behave different than it is behaving today in order to make that happen. For measurable, ongoing end user risk reduction to come to pass, cybersecurity must become a regular pursuit.
Occasional phishing tests, once or twice a year training, and company newsletters with cybersecurity tidbits aren’t going to be enough to teach your users new skills. And if you are honest with yourself, you will realize that is what you’re after; you want your employees to learn to do things differently. For that to happen, they must be given the benefit of regular cybersecurity education and the opportunity to learn over time.
For access to additional security awareness best practices and advice, visit the Wombat Security blog.
