Tips on running a successful security awareness program

Even the best laid plans for security awareness training can fall short when it comes to putting your program into action. User apathy, lack of partnership with department and line managers, completion tracking issues, poor training material quality and employees forgetting what they learned are all very real problems for administrators. Given the $9M average cost for breaches in the US, the stakes are too high not to succeed in your training approach, so here are some industry proven techniques to help you reach your goals.

Delivering security awareness (or any training) at scale in an organization is a near impossible task to take on, on a solo basis for a mid to large size business. Local liasons at the department and location level need to be there to move things along and report back on issues. These liasons can apply pressure when needed on training scofflaws up to the point of suspension of login privileges until compliance is attained.
They can also be useful as facilitators of in-person training when it’s economically not viable to travel to locations.  HR liasons can help identify people who might be on leave, soon to leave or working on a temporary basis and help you run report extracts of who the line managers are for each employee. HR can also help deal with an approach to senior management training who may fall out of the normal categories.

Much like a product focus group or software user acceptance testing, it’s a good idea to test out how a group of users respond to proposed training packages. This should be a cross section of employees from different areas of the company who agree to try out at least 3 training packages and provide feedback. Draw up a completion survey with question on usability, features, problems encountered etc and use this to drive your decision making process. User acceptance is probably the number one challenge for security program administrators, so getting it right will be a decisive factor.

An old maths teacher once imparted wisdom on our class many years ago when he said that the best way to remember stuff is to review what you’ve learned in the 1st day, then again a week later and once more a month after that and then you’ll know it. 
While that might not be in the realm of possibilitity for your organization, I would make a reasonable effort to remind trainees of the key points of the training via email and visible workplace posters within a month of taking the training, see example poster below. Many organizations forget that the real risk of not doing training is not regulatory sanction or failure to tick a box, it’s actually to prevent breaches and all the ramifications caused by human error.

Whether you agree with it or not, prizes do work for incentivizing employees to complete training, and in the scheme of things the price of a new phone of example is a lot cheaper than a breach. For cybersecurity awareness training days / sessions where employees actually attend, consider security giveaways for all attendees (not thumbdrives as I’ve seen before).  

Training can become quickly outdated as risks change and trainees can quickly get disaffected by stale, ‘same ole same’ content. Active research is required by training administrators on matching training content with current risks. Interactive and simulation training rate higher for engagement and retention metrics. For example, training that simulates a phishing email and directs users on how to respond.
Diversification in training is also extremely important, as I mentioned before, posters, email reminders, security awareness days, competitions, slide decks could and should be part of your toolkit as you seek to develop a robust training program.
Why not visit our Shop to find out more about our cybersecurity training products or reach out to us on our Contact page if you have questions.