Security awareness training for employees has existed for about a decade now but has always had a weak spot. In this guide, we will explore how to do it the right way. We will cover what security awareness training for employees is and what it's not. How to ensure it's effective, how to measure it, and most importantly, how to make it fun so employees won't fall asleep.
What is Security Awareness Training?
Cyber Security awareness is essentially a mindset. It's how you think and what you do. It's your attitude toward security, privacy, and threats at work and home. And it's a skill—something you can learn and improve on over time.
Cyber Security awareness is an ongoing process that starts with training employees about basic security principles and threats, then continues with practical security awareness education and exercises.
The goal of cyber security awareness for employees is to create an environment where people feel empowered to be active participants in their own security rather than helpless victims of cybercrime.
A well-planned security awareness program begins with a clear understanding of the threats, goals, objectives, audiences, and resources available. Organizational culture also plays a role in determining what is reasonable and realistic for your organization.
As the industry moves towards compliance, many organizations are looking to cyber security awareness training as a means to ensure their staff have the right level of understanding of data protection to comply with these regulations.
How Effective is Security Awareness Training?
Cyber Security awareness training is incredibly effective! However, if you expect that no one will ever click on a phishing link as a result of training, it's sadly unrealistic. Cyber Security awareness training helps with resilience in responding to attacks.
There is a big difference between how you respond to an attack if only one person clicks on a phishing link versus 100 people. And it's not just about clicking - it's also about reporting. Your team can be your first line of defense, and a well-trained team will quickly report a potential threat. The sooner you detect a threat, the better you can handle it. After all, security is not just about technology - it's about people and processes.
Having said that, it is important to set clear-sighted expectations and goals, and continuously measure the program's effectiveness.
And last but not least, never forget that cyber security awareness is about people. It's essential to measure your team's engagement and overall satisfaction.
How Often Should You Do Security Awareness Training?
It honestly depends - there is no one-size-fits-all. The key is to do small training sessions with your team on a regular basis, such as quarterly or monthly. You want to conduct the training often, so it's fresh in employees' minds, but you don't want to overload them with too much information at once.
Annual: Cyber Security awareness training should be done at least once per year, preferably within the first three months of the year. This is the best time for an organization wide refresher and to master the basics.
Monthly: Once the basics are covered, share a monthly bite-size (1-minute) video of a “Hot Topic” that goes beyond the workplace - something that employees can take home and share with their families. It will keep them engaged throughout the year and help build a security culture.
Quarterly: Each quarter, put your team’s security awareness knowledge to the test through a game that will allow your team to work on their phish spotting skills. Add-in focused video training topics, such as Smishing, Work From Home, or other specialized training. This is also a great time to run a phishing simulation to test how effective the training is.
How To Train Employees On Security Awareness & Not Have Them Fall Asleep
👉 You have between 5-10 seconds to grab their attention.
👉 They unlock their smartphones up to 10 times an hour.
👉 They get interrupted every 5 min.
They are US - the average person.
We need to take the above into consideration when we build our Cyber security awareness program or any learning program for that matter…
👉 Cut the BS and get to the point - Highly engaging, bite-size video content
👉 Tell stories - Storytelling is powerful! It captures our attention and makes us more open to learn
👉 Make it conversational - Don’t talk geek to them
👉 Make it personal - What’s in it for me? (personal development, secure my bank/Facebook account, keep my kids safe online, etc.)
👉 On-Demand - Let them control the pace
👉 Fits into their lifestyle - It’s time to let them use their smartphones
👉 Get them involved - Make it shareable so that they can help raise awareness among friends and family
Here is an example:
Who Should Be Responsible For Security Awareness Training?
Traditionally, Cyber security awareness training for employees has been managed by the security team. However, it's best to also involve the HR and Marketing teams. After all, a big part of cyber security awareness training is about communication and engagement. These additional teams can help with events, internal newsletters, and much more.
Now, no one likes nudging others to complete training. And it shouldn’t be the responsibility of one person in the entire company to verify that everyone completed training. This is why it’s crucial to involve the department managers from the get-go. However, you need to give them the right tools to help you. With Wizer, you can automate weekly status reports on employees’ training progress that can be sent to each department manager. These reports will include who completed and who hasn't completed training within their team. This helps with reducing the load from the person running the cyber security awareness program, but also gets the managers to take ownership in the program.
Lastly and most importantly, communicate that cyber security awareness is everyone's responsibility, and not just the security team.
In Wizer we implemented an automatic notification reminder. This is what it looks like. It will automatically reminder those who haven't finished training to complete it.
What Are the Essential Cyber Security Awareness Training Topics?
Begin by covering all the basics:
1. Phishing, Spear Phishing and Social Engineering
Phishing isn't just email, it’s everywhere - text messages, ads, Google Maps, social media, gaming, App Store, and even developer collaboration sites. Phishing is a core topic in any security awareness training. The best way to avoid phishing scams is to know what these frauds are, how they work and how you can stop them. How sneaky are these phishing attacks? Check out this article that we recently posted about 5 phishing attacks that will freak you out.
2. Multi Factor Authentication
Everyone needs to know about multi-factor authentication (MFA) - MFA can literally save a company or an individual from bankruptcy. If you haven’t enabled MFA and your account gets hacked, then you can bet cybercriminals will enable it for you! This will prevent you from trying to reset your password to recover your account. And good luck trying to even find the support number for some of the major social media sites like Google and Facebook - just getting them to help you may take weeks.
3. Strong Password
Using strong passwords. Sounds like common sense, however “ILOVEYOU” is still one of the most common passwords. One of the reasons is that many people prefer convenience over security. Showing people how to create strong passwords that are also easy to remember or manage is still a core security awareness topic in 2022.
Is there a solution for ransomware? Unfortunately, there is no silver bullet; however, we can significantly reduce the risk by teaching your team how to spot a potential ransomware attack. In the unfortunate case that you were hit by ransomware, it's equally important to be prepared and have a plan for what to do next.
5. Shadow IT
Shadow IT is a term that refers to the way employees use technology without approval from organizational management.
There are so many plug-ins, widgets, and other helper tools that “ethically" snoop on us. Take for example a grammar checker - in order to fix our grammar they need to know everything we type. Some of these tools are like keyloggers that send everything we type to the cloud. Your team may be sending very sensitive data to a 3rd party, which is not only a security risk but also a compliance risk.
6. Public Wifi
Public Wifi basically means sharing the same Wifi with strangers. After all, it's easier for someone else to get a hold of your personal information if they have access to the same network as you. This has been a popular topic for many years. These days with so many people working from home, working at coffee shops, and traveling, it's even more relevant.
7. Wire Fraud
If you’re tricked into wiring money to a fraudulent bank account, the bank may not be there to help you. After all, it’s you who transferred the money, not the criminal. Wire Fraud is impacting everyone - not just big business. Each year, billions are lost to this type of fraud. Unfortunately, wire fraud comes in many different flavors so naturally it's a topic we cover extensively.
We just published a new post about what is wire fraud that includes some real-life examples of wire fraud and how to avoid them. It's a great read!
8. Mobile Security
Do you trust the Apple App Store? Unfortunately, malicious apps are also in the app store. In this Wizer story, which is based on a true story, we share how someone lost 5 bitcoins because of an app they downloaded to their phone.
We can't blindly trust the App Store. What to do before and after you download an App can be life saving habits.
Criminals are also sending scam text messages (aka smishing) because it's very effective. Here are five eye-opening spear phishing text scams that could fool anyone. These scams are sneaky - the criminals have clearly done their homework before spear phishing their victims.
9. Privacy and PII
This is such a HUGE and significant topic, especially as more and more of our lives are lived online. Many people say “I have nothing to hide.” If that was the complete truth, they wouldn't put on clothes! But they do because they have the right to privacy. And this right impacts both companies and employees. Here are examples of the topics we cover:
- How to protect your privacy online
- What is PII
- How to comply with the many privacy regulations such as HIPAA, GDPR, CCPA, POPIA, and many more.
Privacy is a topic that raises many questions. Here are several thought-provoking articles about privacy.
Can you get sued for using your own pictures?
Do you own your own body?
What are we agreeing to when we accept the terms and conditions?
What is China's "Youth Mode" version of TikTok?
Which social media app share the most about us with other and what can we do about it?
11. External Devices and Physical Security
What stops a criminal from working as a hotel housekeeper and using a USB device to install malware on your laptop? How many computers per day can they infect? Hacking isn’t just online and it's not just about hotels. Cybercriminals can get to your businesses anytime - it’s as easy as following in the cleaning crew.
12. Role-Based Training for IT Administrators
Too often, people just accept the defaults and hit NEXT NEXT NEXT. Some of the worst hacks result from using the default settings like the user and passwords “Admin .” Why is this happening? Lack of awareness or miscommunication between the app owner, IT Admin, and the Security team. Who is responsible for hardening the server/app? Cyber security should be everyone’s responsibility. That’s why we created the Security Cheatsheet for IT Admins When Installing New Software.
13. Social Media
Which Instagram account belongs to the real Vitalik (the inventor of Ethereum)? Probably none of them… yeah, they are all more than likely fakes. Some even have over half a million followers and are as old as 3 years! So why are criminals investing time in faking him? Simple - to scam people. Don’t let the amount of followers and pictures fool you.
Top 6 Security Awareness Topics for 2022
1. Communication Security
Communication is a big part of our lives. Now that a huge chunk of the population works from home, common questions that arise are:
- How do we communicate safely?
- Which apps should we use?
- What's ok and not ok to share?
2. Deep Fake and AI
Phishing is moving to a whole new level. Criminals are now creating videos that look like you and phone calls that sound like you. So how do you know who you are talking to anymore? Watch how Deep Fake Kristi is randomly texting with the hope someone will respond.
AI is so advanced in writing from scratch. Actually, Bloomberg said 3 years ago that almost a 3rd of their articles are written by artificial intelligence! I can’t imagine how many are written by AI today.
3. Securing Home Network
Our network has expanded beyond the office - and so has your employees. This is why it is critical for security culture to start at home. Our goal is to help your team understand the risks of working from home while also knowing how to secure their families.
Over the years, privacy has been a hot topic. And in 2022, we’re only going to see it continue to grow. The amount of information that can be found on each and every one of us is staggering. Because of this, it makes it easier than ever for criminals to craft personalized phishing attacks.
5. Securing API
This one is for the Developers. Their APIs are not secure…seriously. They can even get hacked by copy pasting a commend into a terminal. Ask any developer or Admin if they have ever copied a command line or code snippet from the web. The answer would probably be YES. You would assume that what you copied is what you paste, right? Well, nope!
You think you are copying one thing, but it’s replaced with something else, like malicious code. All it takes is a single line of code injected into the code you copied to create a backdoor to your app.
We have a short demo that shows this hack in live
It's time to invest in additional education so that they know how to code securely from the get-go.
6. Supply Chain
If 2021 demonstrated anything, it’s that criminals attack our supply chain as a way to get to us. And it’s not just 3rd party contractors or vendors - they were also able to reach the developer teams.
How Can You Make Your Security Awareness More Interactive And Fun?
Employees will probably complete security awareness training if they are forced to, however, it is much better to get their buy-in by engaging them on an ongoing basis.
To do that, treat security as an essential life skill and make it personal. Include training videos and security awareness content that will teach them how to keep their kids and family safe online.
Also keep content fresh, relevant and short and to the point - nobody wants to watch the same exact video over and over again.
Watch any of these videos for an example of how 1-minute security awareness videos should look like.
1. Give Them a Voice
Engagement starts with giving people a voice. Set up a workspace where they can share their own views and converse. It can be over Slack, Teams, Sharepoint - whatever makes it easy for them. Encourage them to share security and privacy related news items they ﬁnd online or experience. Once a month, create a company-wide newsletter with insights from the things they shared. Just don’t forget to give them credit! Also, allow them to rate the training in a survey.
Here is an example of how Wizer does this. This rating represents what EMPLOYEES think about the training. After they finish training, they are given the option to rate the training from 1-5. This gives the Security Manager insight into whether or not employees are happy with the training.
2. Use Gamification
Gamification isn't the same as playing games. Gamification is the use of game thinking and game mechanics in non-game contexts to create engagement, drive behavioral change, and encourage participation. Tasks that aren't inherently fun can be made more engaging and enjoyable by applying game thinking and mechanics, hence the term gamification.
You can give points, rewards, badges, or a certificate to employees who engage in positive behavior. For example, a "Phishing Spotter" badge for those who were the first to report a phishing email, or a Golden Certification for those who consumed optional content.
3. Make it Frictionless
Lastly, create content that is frictionless to consume! Follow patterns people use to consume content to increase engagement. Almost everyone today uses their mobile devices to watch videos, so go mobile. Make sure employees can do the same with your content.
How to Increase Security Awareness Engagement?
We often say “Think Before You Click” - great advice! However, people still click before they think. Why? It’s because it isn’t just about knowledge. We all learned about stop signs and when to hit the brakes, however there are still a ton of accidents out there.
We are emotional creatures - we feel before we think; we are curious, biased, and sometimes overly optimistic. That’s why routines and habits are so important. They act like guardrails.
An effective way to help your team with developing these routines and habits is by establishing a group of influencers. They will act as ambassadors of the security team to help create a positive security culture. We have created a guide here.
Where Can I Get Free Security Awareness Training Content?
You can find a lot of free security awareness content on YouTube that you can embed in your security awareness training. Wizer went one step further to offer an amazing free security awareness community edition. This edition includes:
- Cyber Security awareness videos
- Learning management solution (LMS)
- User progress tracking
- Reminder notifications
- Certificates of completion
- And much more
How to Measure The Effectiveness of Your Cyber Security Awareness Program?
Your security awareness program should have a goal. If you don't know where it's going, how do you know when you've arrived?
A few things to consider:
1. How Many People Reported Phishing, Loss Devices, or Other Incidents?
When security awareness is going up, you'd expect to see an increase (at least initially) in the accurate number of reports coming into InfoSec.
2. Is There a Decrease in the Amount of Clicks From Phishing Tests?
Phish testing puts the effectiveness of security awareness training to the test by reinforcing what has been presented. Results of the testing are evidence of effectiveness.
3. Is There a Decline in the Amount of Confirmed Incidents?
When your cyber security awareness training is effective, you would expect to see an overall decline in the amount of incidents year over year.
4. Are the Number of Policy Violations Going Down?
Adhering to security policies shows maturity in the security culture. It is usually a result of understanding why we implement these controls and an open door to the security team. Instead of bypassing these controls, people feel comfortable reaching out to the security team.
5. Do Employees Ask Questions?
A great way to measure engagement is to track how often employees ask questions. This could be through a ticketing system, google forms, or in-person.
6. Is the Security Team Involved in More Projects?
Measure how often people are asking the security team for help to ensure their projects are “secure by design.”
7. How Many Requests for New Technologies?
Prior to security awareness training, people may have used unauthorized apps to bypass security controls - commonly referred to as "Shadow IT." If people are now asking for permission to use new technologies, it is a sign they understand the risk and wish to mitigate it. This also shows healthy collaboration with the security team where people are not afraid to ask for assistance.
Are phishing simulations effective?
Phishing is still the number one way adversaries are getting into networks. Phishing simulations are part of a more extensive education effort. They are not 100% effective on their own. Tabletop discussions and exercises are a great way to create scenarios that involve everyone without shaming.
If you’re doing a phishing simulation campaign, make sure your employees have the tools and know what to do when they suspect a phishing email. Otherwise, you are setting them up for failure. Should they report it, and how? Should they call to verify requests that appear to come from their boss? Make sure they know what the process is.
Also, have clear goals. Phishing simulations help measure SOMETHING but maybe not the right thing. Some people are going to click no matter what. You cannot rule out car accidents totally even though everyone has been taught to drive. It is unrealistic to expect that 100% of your people will not click. Even if you get down to a 4% click rate, that may mean 40 people (out of 1000) clicking or 40 open doors for an attacker. That is a lot! The focus should be both click rate and resiliency.
Sometimes, numbers can be misleading. If the 4% that clicked include senior managers, people with access to sensitive information, or admin privileges, that may be worse than 10% who have limited access.
How Much Does a Cyber Security Awareness Training For Employees Cost?
The answer, of course, is it depends. In most cases, the cost of a cyber security awareness training program is relatively small. If you calculate the cost of a security awareness solution, prices range between $20 per user/year to several dollars depending on the size of the company. You can find Wizer pricing here:
You will also need to take into account the security awareness program manager. Cyber Security awareness training isn't a set and forget program - someone needs to engage with the team, follow-up, monitor progress, and respond to feedback. That's a part-time job. However, it shouldn't take more than a few hours a month.
Lastly, you should calculate the time people take off from work to get trained. Using bite-size content is the most efficient method, because it requires less time for people to complete training and it can easily be spread throughout the year.