Security awareness training has always been a challenge, and this was exacerbated by the COVID-19 pandemic. Give that we now realized that the remote workforce is undoubtedly a permanent fixture in corporate America, it is time to rethink how you train your employees to ensure they maintain a strong level of cyber hygiene.
Here are some of the top things to consider:
Keep the training relevant
Security awareness training is not a one-size-fits-all proposition. Every company has unique requirements, as does every department. Therefore, keep the training relevant to the job titles of the employees. For example, your IT Security team will need to be trained in the most technical ways possible. However, your Accounting and Finance departments should learn more about Phishing emails, especially when it comes to Business Email Compromise (BEC), and other relevant forms of Social Engineering. Plus, they will need to get more training in data privacy laws, especially when it comes to controls. Whereas your HR department will need more specific training in how to properly vet your third-party suppliers, contractors, etc.
Keep the training concise
The average attention span for a human when they are learning or being taught something new is about 45 minutes at maximum. Therefore, you should not make it any longer than that. A good rule of thumb here is to keep the actual learning component to about 30 minutes and leave the last 15 minutes for any questions, or a short practice session that is fun in some way.
Inject humor or playfulness
The last thing your employees will want to attend is yet another boring lecture. After all, since most of them are probably remote, they will have been in meetings all day long. Even though cybersecurity is a serious issue, surprising employees with a laugh is a great way to maintain attention. For example, you can try to come up with funny punch lines that relate to phishing, or the hundreds of other technojargons that exist. You could also do some role-playing exercises with the attendees of the training in order to lighten the gravity of the topic.
Keep changing styles
To make the training effective, you need to keep changing how you deliver your message. Again, no employee wants to sit through a boring lecture. Plus, not everyone learns effectively through the lecture format. For instance, you could start with a video introduction of what you are going to discuss, followed by the actual lecture component. From there, you could break the class into groups and have the employees discuss different risk scenarios and possible solutions. This is known as a "Tabletop” exercise and has proven to be useful in training your employees.
Introduce competition
Most employees like a spirit of adventure and competitiveness, so why not include that as well? This is where the use of gamification comes into play. You could create a contest and award the winning group with some sort of prize to keep everyone engaged.
Introduce the real world
In this kind of training, you need to bring in somebody who has been impacted by a real-world cyberattack. Although this will bring a more serious note to the training, your employees also need to understand the real-world implications if they were to become a victim. For example, you can have an individual who was a victim of an identity theft attack and have them discuss the amount of work and time it took to resolve. When possible, let employees ask their own questions so they see the ramifications first-hand. By instilling this kind of fear in the training, there is a higher probability that your employees will strive to maintain a higher level of cyber hygiene.
In order to keep your security awareness training up to par, there are a few other things to consider as well:
Security training is not a one-time deal. It's something that must be delivered on a continuous cycle, at least once a quarter, if not more.
Always measure the effectiveness of your training programs. For example, if you give a session on how to avoid phishing attacks, then you (or somebody from the IT Security team) should conduct a phishing attack simulation to see how many employees still fall prey. But when you speak with the employees, don’t put them down or call them out in front of the group. Instead, work with them further to help them improve their cyber hygiene.
Keep incentivizing your employees. For example, create goals and metrics, and for those individuals that surpass them, offer a gift card or some other type of award.
