How to build a successful cyber security awareness programme for your organisation

By Dan Thornton, director and founder, GoldPhish.

Cyber security training.
Cyber security training.

Cyber criminals are increasingly preferring to target employees as a way to gain access into company networks and systems, instead of struggling to overcome expensive complex technical security controls put in place to stop them in their tracks.

For this reason, there is not currently an industry (or government) recognised cyber security standard, or guideline, that doesn't recommend the training of end-users with some form of cyber security awareness programme.

Training your employees on how to follow basic security policy, identify suspicious e-mails and behaviour, and report any problems they encounter or suspect will significantly reduce an organisation's cyber risk, says Dan Thornton, director and founder, GoldPhish.

Dan Thornton, director and founder of GoldPhish.
Dan Thornton, director and founder of GoldPhish.

Developing a strong cyber security culture in the workforce should be the end result for any successful awareness programme. This is much easier said than done for those given the unenviable task of trying to accomplish this result, so here we provide tips on how to build a successful cyber security awareness programme...

1. Use a mixed bag of training tools and content

Design a training programme that uses a combination of training techniques to keep employees engaged. Interactive e-learning modules, simulated phishing campaigns, awareness messaging campaigns, micro-modules and culture assessments are all ways to establish foundational security knowledge, but also reinforce that knowledge and keep your staff engaged. Avoid only focusing on a single form of training.

2. Continuous training works

To change mindsets and reduce the mistakes associated with end-user behaviours, security must become a regular pursuit. Once-a-year compliance training simply will not be enough to raise awareness and help your employees learn how to apply best practices. Use bite-size training to give your end-users the benefit of regularly revisiting key cyber security topics to encourage knowledge retention. Without reinforcement, learners are put in the position to regularly rebuild, rather than build on, a cyber security foundation.

3. Culture development through marketing

Work with your company's marketing or communication team here. Design security awareness messaging campaigns to keep the subject front-of-mind throughout the year... this is security marketing. Exactly the same approach as the top consumer brands are taking, awareness programmes should be designed to influence the user's decision-making process that benefits the advertiser. Design it to get your users to make better security decisions.

4. Early communication and support

For any workplace culture to be successfully developed and maintained, it requires support and buy-in from the leadership team and key stakeholders. Communicate your programme plans, timelines and objectives early on with your executive team and those stakeholders who will be integral to its success, such as department managers and tech support. Don't neglect to keep your employees in the loop; they are ultimately one of the most important stakeholders in any awareness programme, and the better they understand the reasons for and benefits of the programme, the better they will support it.

5. Keep it personal

Cyber security awareness may not be the sexiest or most exciting of subjects, so the more your employees can relate to the training, the more engaged and responsive they will be. Emphasise that good security practices should also be shared at home to help keep their families and personal lives safe online. Good cyber hygiene at home will translate to good cyber hygiene in the workplace.

6. Use the carrot, not the stick

Gamifying your security awareness programmes is a great way to get all employees involved and engaged. Departments and individuals can be rewarded on scoring systems built into the training modules and assessments; incentivise behaviour such as high scoring on knowledge assessments, training completion times and rates, and phishing e-mail reporting. Make cyber security training fun and competitive and behaviours will change in the process. Avoid singling out and punishing employees who are regularly failing knowledge assessments or phishing tests; never assume that because you find the subject easy to understand and implement that all employees also will. If employees are consistently failing, then take the time to close the knowledge gaps.

7. Have a robust reporting process

Be prepared for success. As your employees become more educated, aware and confident in identifying potential cyber security threats, you will see a significant increase in the volume of reporting to the security team or IT department. This will be one of the strongest indicators that your awareness programme is being successful in truly changing behaviour. However, nothing will stall this growth in security culture worse than if the reporting process is poorly managed, or non-existent. Employees should be encouraged and thanked every time they are reporting in, and be made to feel they are truly contributing to the organisation's security. Be sure to include your incident reporting stats in your Awareness Programme Reports to show progress and return on investment, and be sure to share these reports with the employees themselves as well as the leadership team.

Take the time to adequately plan your security awareness programme before launching it. While finding the right vendors, training platforms, training content and awareness material is very important, unless the programme is well executed and supported, it will fail to change behaviour or reduce your risk.

CybACADEMY courses powered by GoldPhish educate employees on cyber risk and helps build a more secure organisation with awareness training.

Its current FREE100 Campaign is aimed at helping smaller businesses get one step ahead of the cyber criminals with free awareness training.

If you require more information on products and services provided by GoldPhish, e-mail info@goldphish.com. #cybermonth2018

Share

Editorial contacts