Film and television perpetuate the idea of one high-profile hacker getting through a company’s cybersecurity and stealing confidential data, but most data breaches aren’t that exciting: more often than not, the culprit is closer to home.
In the 2018 study by the Ponemon Institute, 61% of the respondents pinned the cause of data breach to a negligent employee (an alarming 112.9% increase from 2017). A properly researched and well-executed security awareness training can help lower the risks of data breaches caused by internal factors. Here are the best practices in implementing one.
Participation at every level
Security awareness should be incorporated into the culture of an organization, practiced by everyone from the top to the bottom of the hierarchy. Giving free passes to no one regardless of position or seniority not only adds to the weight of authority onto the seriousness of the training but also boosts employee morale. It gives a clear message that cybersecurity is everyone’s responsibility. Moreover, with C-level executives on board with the goals and execution of the training, there should be very little to no hindrances along the way.
A cybersecurity awareness training program should have clear bases, goals, and methods of execution — all of which must be communicated to the would-be participants. Before implementing the program, send an email or conduct a short meeting that explains why the training is necessary. During the training, continuously loop in participants on what’s happening by reviewing the goals of the training, updating them on their goal progress, and keeping them informed about what’s still to come.
It’s important to talk about the training, but it’s equally important to listen to the end users.
Drawing a baseline
To gauge how well you’re achieving your goals, you must have a clear idea of where you started. Baseline assessment scores are starting points that allow you to measure your progress as you roll out the training. What are your current metrics regarding phishing attacks? How often do you get malware infections? If your baseline is three compromised email clicks in a month, then having the statistics drop to 1-2 per month is a good indication that your training is working.
Having drawn a baseline, you can measure your progress in quantifiable ways. Make precise analyses and gain deeper insights on your cybersecurity data by using intelligent tools that can (among other things) track the people or groups with highest risks/most vulnerability and generate report cards of live trainings. With such tools, monitoring success rate and modifying training to address specific concerns should be more efficient and effective.
Regular reminders and assessments
The training shouldn’t be a once-in-a-year event, but an ongoing pursuit towards the prevention of internal data breaches. It’s neither an easy nor a short-term project, but one that involves constant participant involvement. Try the following and see what works for your company:
- Emailing a weekly cybersecurity digest to end-users, complete with to-do lists, tips, and a relevant article
- Conducting live tests monthly (simulated phishing emails can be a very effective training tactic)
- Encouraging users to reflect on their actions for the month (especially after a live test) – what they’ve done correctly and what they’ve failed to do, and what they believe they should improve on
These regular nudges and tests remind employees to keep a vigilant eye since one slip on their part can expose the company to a data breach.
Keeping participants engaged
Weeks after the launch of your cybersecurity awareness campaign, the initial enthusiasm may eventually die down. Keep the participants engaged and always on their toes by gamifying your training: incentivize and reward people who display good cybersecurity behavior, send a company-wide email acknowledging them, or invite them to talk in your next meeting about cybersecurity risks.
If you need a hand in conducting your cybersecurity training, MXOtech is here to help. We are your reliable IT support and managed services provider in the Chicagoland area, offering complete and efficient cybersecurity solutions. We’ve partnered with some of the industry leaders in cybersecurity awareness training, to ensure that your employees will not suffer data breaches due to human error. Contact us today to find out more.