How to Implement a Security Awareness Training Program
This is a comprehensive guide on how to build a successful Security Awareness Training Program for your company. If you are interested in learning how to get your employees engaged, what learning materials work best, and how to develop a positive security culture - then you're in the right place!
Let's get started!
Click on each item to jump to the section!
It All Starts With Onboarding…
It’s crucial to instill the importance of security from the very beginning. New hires are often targeted by cyber criminals because they don’t know many co-workers and are more likely to follow direction from someone who pretends to be an executive.
What's in It for Me?
Cyber criminals are indiscriminate and often use the same methods to hack organizations and individuals. People are more accepting of learning when it’s personal. So make training personal and teach employees how to protect themselves at home. They will soon apply the same behavior at the workplace.
Stay Away From Just Ticking the Compliance Box
After all, we just want our employees to learn something and change their behavior, so take the time to explain why you are implementing the program. If they don't understand the importance of security, they won't take it seriously. And don’t make it a once a year thing, it should be a continuous effort all year long.
Get the Boss (Or Leadership) to Buy-In
Show how security training aligns with organizational goals and specific targets. Remind them that they have a huge target on their back because they have access to valuable and sensitive information. This is also where compliance can help.
Getting the Employee to Buy-In
Employees will probably complete training if they are forced to, however it is much better to get their buy-in. Establish a supportive presence by creating a circle of influencers that will act as ambassadors of the training program
Keep It Simple and Real
Don’t assume employees have a technical background. Use simple terms and real life examples they can relate to. And don’t make it childish; adults don’t appreciate content appearing like it was taken from a kids TV show like “Dora the Explorer”.
Make It Easy to Consume
Employees think like consumers. You don’t want them to disengage, so make training frictionless. For example, it should be accessible through their phones with a single click. Leverage existing channels such as Slack for notifications.
Start With Showing Them Personal Benefits
For example, teach them how to secure their social accounts, photos, bank, and how to ensure their kids stay safe online. Then show how the same principles are applied at work.
The key is to blend personal benefits with work related training. This can be done by splitting training into 3 categories:
Protect Your Devices
Protect Your Data
When taking this approach, it will be easier to refresh content every year. Instead of replace one phishing video with another, you can include new threats that involve phishing, such as COVID-19 related scams.
How to Protect Yourself?
Social Media Safety
Common Scams (Job Scam, Fake Check Scam, Shopping Scam, Covid-19...)
Phishing, Smishing, Vishing
Work Related Scams like HR Scam
Work From Home
How to Protect Devices?
Internet of Things Safety
How to Protect Your Data?
Protecting Your Privacy
Preventing Data Leaks
Don't Forget About Your Dev Team
Now You Can Start Plugging in Training Videos Similar to This
Quit That Bullshit
Use conversational language to explain things and skip the technology jargon, instead use relatable terms. For example, most people have never experienced a "Data Breach" in their personal lives, but they probably know someone who was “scammed” or “hacked”. We created a quick dictionary to explain simple technology terms.
Do not baffle with bullshit or blind with science… This is NOT a slightly off-kilter tribute to W.C Fields, but a reminder that, as an industry, we HAVE spent TOO many years trying to baffle people, outsmart them or simply tell they don’t understand.
Get to The Point Because Our Attention Span is Short!
Let’s face it, security awareness training isn’t everyone’s favorite video genre. Many feel they barely have time to do the work they’re paid for, let alone with the same 45-minute video from last year. So if you want people to remember anything, keep it short and to the point. Yeah this is can be done, all of Wizer’s videos are 1-minute long, and many are free.
Make It Relevant
Create Easy to Consume Content
Make It Personal
Help Make Money
Protect Brand Reputation
Speaking of Protection...
What is the Ambassador Program?
Employees will probably complete security awareness training if they are forced to, however, it is much better to get their buy-in by engaging them on an ongoing basis. A good way to do this is to establish a group of influencers that will act as ambassadors of the security team to help create a positive security culture.
What's Included in the Ambassador Program?
- How to Identify Your Brand & Choose Ambassadors
- Train, Set Expectations, & Create a Hub for Communication
- Give Them a Voice and Provide Feedback
- Make Everything Simple and Fun!
We should always be testing in order to validate that our initiatives are effective. Now let’s review some of the indicators that show us that the employees’ awareness is improving.