Your comments were a treasure trove!!! I summarized them and created this crowdsourced quick guide on “How to Successfully Implement a Security Awareness Program”.
I really liked how this turned out and I am planning to share it with all get-wizer.com customers. I believe that a true solution cannot be based only on technology...
Here’s the link to the original post
So, let's get started...
It All Starts With Onboarding…
It’s crucial to instill the importance of security from the very beginning. New hires are often targeted by cyber criminals because they don’t know many co-workers and are more likely to follow direction from someone who pretends to be an executive.
What's in It for Me
Cyber criminals do not discriminate and often use the same methods to hack organizations and individuals. People are more accepting of learning when it’s personal. So, make training personal and teach them how to protect themselves at home, they will soon apply the same behavior at the workplace.
Stay Away From Just Ticking the Compliance Box
After all, we just want employees to learn something and change their behavior, so take the time to explain why you are implementing the program. If they don't understand the importance of security, then they won't take it seriously. And don’t make it a once a year thing, it should be a continuous effort all year long.
Get the Boss to Buy-in
Show how security training aligns with organizational goals and specific targets. Remind them that they have a huge target on their back because they have access to valuable and sensitive information. This is also where compliance can help.
Getting the Employee to Buy-in
Employees will probably complete training if they are forced to, however it is much better to get their buy-in. Establish a supportive presence by creating a circle of influencers that will act as ambassadors of the training program.
Don’t Judge People When They Make Mistakes
Create an open culture where everyone can ask questions without fear. Whenever mistakes happen, use them as teachable moments and not to cast judgement.
Engage and Follow Up
Training is not “set and forget”. Ask employees for feedback and be open to constructive criticism. Search for solutions and always follow-up. For example, maybe training needs to be tailored per department, based on current knowledge level, or shorter and to the point.
Keep It Simple and Real
Don’t assume employees have a technical background, so use simple terms and real life examples they can relate with. And don’t make it childish, adults don’t appreciate content appearing like it was taken from a kids TV show like “Dora the Explorer”.
Face-To-Face Is Still a Thing…
Yeah, training people in a classroom is still a thing and very effective. This is usually more expensive, however if you have the budget then don’t rely only on automation, do offline training once a year in addition to your online training.
Make It Easy to Consume
Employees think like consumers, you don’t want them to disengage, so make training frictionless. For example, it should be accessible through their phones with a single click. And leverage existing channels such as slack for notifications.
Tap Into Existing Resources
Collaborate with the communication or marketing team to create unique content and embed it into existing communication channels. For example, create posters and hang them in the coffee area, write a blog post, or publish a newsletter. If possible, record an intro video that includes people from within the organization.
Many people don’t like being surprised at work. So, if you are planning on running a phishing simulation for example, let them know in advance and explain the goal.
Get Your Message Across Fast
People are busy, so be short and to the point. Find a balance between continuous awareness training without overwhelming or boring your team.