Under Attack? Contact Us

October 7, 2022

How To Implement a Successful Cybersecurity Awareness Program

Cybersecurity Awareness Is Not Just for October

October is Cybersecurity Awareness Month, but your company should be thinking about security awareness year-round.

According to a study at Stanford University, human error accounts for 88% of data breaches.

Having well-informed and well-trained employees is the most important thing you can do to secure your organization. 

Creating an engaging and viable security awareness program that sticks with your employees can be difficult, so here are the main things to consider.

Types of Training

General Security Training:

This should be done by all companies at least once a year and for all new hires within a month of their start date. 

I recommend shorter, more frequent training so that employees can retain the information and are less likely to get distracted. The different formats of these types of training (videos, tutorials, infographics) all have their own merits and should be decided through employee feedback and your own knowledge of your business.

Phishing Campaigns:

These are ideally done at least quarterly. 

The goal is to send out a fake phishing email to employees. If someone clicks on the “malicious” link, it takes them to a page explaining how to spot suspicious emails. If the employee reports the phish, they are told it was a phishing simulation and get a thank you for being alert. It is very important to track the results of these campaigns to see progress over time for individuals and the company as a whole. 

Regulations/Role-Specific Training:

These will be specific to each individual company but the following are examples: 

    • Employees who deal with regulated data should be trained specifically on those regulations.
    • High-risk employees should receive extra training on phishing and social engineering. Example of high-risk employees include those who speak to a lot of people outside the organization, such as human resources (HR) and sales, and those who may be well-known “large targets” (C-suite)
    • Developers should be trained in secure coding.

How To Create an Engaging and Motivating Cybersecurity Culture

  • Get People Involved ― Make Cybersecurity Fun and Interactive

    • Ask for input from your employees on how they learn best, the security issues they are most confused about, or their favorite type of lesson.
    • Include InfoSec on town halls so that people can put faces to names. Host an InfoSec lunch-and-learn or happy hour.
    • Make a competition based on something relevant in the news or a recent training session. For example, ask people to submit a sample phishing email and the best ones will be used in the next phishing campaign.
    • Use games and giveaways. Research has shown that giving away merch and creating fun, interactive games cements cybersecurity into the everyday methods of employees.
  • Positive Reinforcement, Not Negative

    • Too many employees think the security team is working against them, not with them. “Walls of shame” or public discussion of employees who fall victim to phishing will only result in employees being more afraid to come to you with questions or concerns. If your team decides that there will be any negative repercussions for failing training, it should be a private discussion with HR.
    • Try to offer incentives for repeated security wins, such as entering everyone who correctly identifies and reports the phishing simulation into a raffle.
  • Keep Things Relatable and Topical

    • One way to make training lessons stick is to show a real-world example. These examples hit home even more when they are within your specific industry.
    • Talk to employees about what they can do to keep their personal data secure. If they get into good cybersecurity habits at home, it will be easier to keep up those habits in the office.

The Key To Security Awareness Is Consistency

Discussing best practices once a year just doesn’t cut it. The most secure organizations that I’ve seen are the ones whose security is discussed as an integral part of the business, not as a roadblock. 

Your employees ― and your organization as a whole ― will be more secure if they:

  • Are reminded of cybersecurity best practices
  • Learn about topical applications of those best practices
  • Feel comfortable reaching out to InfoSec

With practice and consistency, cybersecurity can become a year-round, daily habit.

 

Stay updated on the latest cybersecurity content and relevant news.

Copyright © 2022 Cyber Defense Group. All Rights Reserved