Security awareness training is one of the most straightforward ways to improve a business’ overall resilience against cyberattacks. That is, when you get it just right.
Thanks to the disruptions to “normal” work routines that COVID-19 has brought, launching a company-wide training program to teach end users how to avoid phishing scams and online risks is a big challenge. Unfortunately, COVID-19 has also brought a major acceleration in phishing activity. With so many office employees working outside the safety of corporate network protections, you can see why the need for training has never been more critical.
But there’s another issue: training is outside the skillset for most IT admins, and the level of effort to set up and run a program of training courses, compliance accreditations and phishing simulations can be daunting.
To help you get started, here are our top 5 recommendations for starting your security awareness program so you can maximize the impact of your efforts.
- Get buy-in from stakeholders.
While you probably already have some combination of security tools in place, such as endpoint protection, DNS or web filtering, etc., the 2020 Verizon Data Breach Investigations Report states that phishing and social engineering are still the primary tactics used in successful cybersecurity breaches.
Make sure your stakeholders understand these threats. Send an email introducing the program to management and clearly explain the importance of educating users and measuring and mitigating your risk of exposure to phishing and other social engineering attacks.
- Start with a baseline phishing campaign.
When you run your first phishing campaign, you establish your starting point for measuring and demonstrating improvement over time. (You can also use this real-world data to accurately show the need for improvement to any still-skeptical stakeholders.) Ideally this initial campaign should be sent to all users without any type of forewarning or formal announcement, including members of leadership teams. Make sure to use an option that simply shows a broken link to users who click through, instead of alerting them to the campaign, so you can prevent word-of-mouth between employees from skewing the results.
- Set up essential security and compliance training.
Create training campaigns to cover essential cybersecurity topics including phishing, social engineering, passwords and more. Establish which compliance courses are appropriate (or required) for your organization and which employees need to complete them.
- Establish a monthly phishing simulation and training cadence.
Repetition and relevance are key for a successful security awareness training program. By setting up a regular simulation and training schedule, you can more easily measure progress and keep an eye on any high-risk users who might need extra attention. Using our shorter 4-5-minute modules in between more substantial training is an effective tactic to keep security top of mind while avoiding user fatigue. And if you can’t run phishing simulations monthly, strive for a quarterly cadence. If you get pushback on sending emails to everyone, then we recommend you prioritize testing users who failed the previous round.
- Communicate results
A great way to raise awareness and increase the impact of your phishing campaigns is to share the results across the organization. Keep in mind, the goal is to capitalize on collective engagement and share aggregate results, not to call out individuals. (Your “offenders” will recognize themselves anyway.)
The critical piece is seeing the statistics on where the organization stands as a whole. After the baseline phishing simulation, send out an email to all employees with the results and the reasoning for the campaign. Communicating these numbers will not only help show improvement over time, it’ll also demonstrate the value of the program overall and reinforce to employees that cyber resilience isn’t just IT’s job – it’s a responsibility we all share.
Although there are numerous other tips and tricks that can help ensure the success of your security awareness training program, these are our top five basic pieces of advice to get you on your way. When you follow these steps, it won’t take long to see the very real returns on your training investment.
For more detailed tips on how you can put Webroot® Security Awareness Training to work to improve your business’ cyber resilience posture, view our white paper.