The Components of an Effective Security Program

Our last article reviewed what makes up good Cyber Hygiene. One of these factors is to have a good Security Awareness training program for employees and even the C-Suite/Board of Directors. In this article, we review some of the critical factors that go into making both training memorable and effective.

What Is Needed

• Keep the training department-specific
  There is often this view that security training is a one size fits all kind of thing. But in reality, it is quite different. If your company is large enough, each department will have its specific needs, and you will have to address them. For example, the finance team is going to be dealing with a lot of numbers, as well as accounting. They should have a firm understanding surrounding the compliance laws in this regard. But they also need to understand the importance of keeping the controls that safeguard the datasets updated and current with the latest patches and upgrades. The marketing department will need to understand the sheer importance of not revealing too many details on social media platforms, especially regarding customers and employees. The administrative staff will need to understand what Social Engineering is all about and how not to fall prey to a Business Email Compromise (BEC) attack. A BEC attack is when somebody gets tricked into wiring large sums of money to a phony bank account. Your IT Security staff will need to be trained in the latest variants and how they can mitigate them. So, as you can see, simply talking about phishing attacks is not just the only thing; the training has to be specific to what the employees do in their particular department.

• Keep it interesting and stimulating:
  Nothing is worse than making a Security Awareness training program into a college lecture. You need to get your employees involved, but to get the maximum results from it, you also need to keep them engaged so that they will retain what they have learned. In this regard, getting a person who has been an actual victim of a Cyberattack and its impact on their life could get some natural stimulation and discussion going (this is often referred to technically as a "Tabletop Exercise"). Get your employees into other discussions as well and steer the conversation as to what they can do if they have indeed been hit and what they would do to help mitigate it. Remember, while it is vital to have a PowerPoint presentation of bullet points you want to go over, having an open dialogue like this will drive home the importance of Cyber Hygiene even more.

• Keep it short
  You must keep your training programs short. A human's attention span is usually about 45 minutes, and you should plan accordingly. For example, you can have a high-level "lecture" for about 15-20 minutes but then spend the rest of the time keeping your employees engaged with activities, as described. It always does not have to be an open discussion format all of the time; instead, you can also use the concepts of Gamification. So after the brief "lecture", you could create some Cyber games and break the attendees into teams to develop a spirit of competition. You could also give the winners a prize, like a gift card, at the end of the training session.

• Always give your employees something
  You should always create a nice binder to go with the PowerPoint presentation with notes. Also, insert extra pieces of paper for your employees to take notes on, and always put in the relevant contact information of the Incident Response Team. This way, the employee will know who to reach out to in case they think that a security breach is happening. Whenever an employee is given something, they can take back with them, the chances are greater that they will review the stuff in it whenever they get some free time or even have a question. Plus, they will also feel valued that the upper management has given them something important.

• Test what has been learned
  A few days after the Security Awareness training, practicing what you have preached is always a clever idea. For example, if some of the training involved what a Phishing attack is all about, then launch a mock Phishing attack to see who has fallen prey to it. For those who did, have a private conversation with them, and offer other ways to avoid this from happening again. It is essential to take a friendly approach to this. Never punish an employee in front of others! That will only create more resentment and diminish your credibility in just a matter of a few seconds.

These are just a few pointers to keep in mind if you want your employees to learn and maintain an optimal level of Cyber Hygiene. Delivering these Security Awareness programs with complete buy-in, especially from the C-Suite and the Board of Directors, is essential. You should also make it a point for them to attend these training sessions, as Cybersecurity impacts everybody in a company, not just a select few.

Finally, Security Awareness training programs are not just a one-time deal. They need to be given regularly, preferably at least once a quarter. If you are less than 100% confident in your cybersecurity program, I would love to have a conversation with you. Please contact us at sales@sprucetech.com to learn more.