5 Tips To Create an Effective Security Awareness Training Program

essidsolutions

Security awareness training (SAT) significantly reduces cybersecurity risk. Yet, it’s difficult for many organizations to know where to begin when creating these programs. This guide by Roger A. Grimes, data-driven defense specialist, KnowBe4, covers the various components of an SAT policy.

Any organization, regardless of size, is a target for cybercriminals’ social engineering and phishing tactics. In fact, depending on what study is looked at, the source will cite social engineering and phishing as the root cause for at least 40% of all successful attacks – and that is being conservative. Despite over three decades of vendors producing some of the best, most sophisticated technical defenses, social engineering and phishing attacks persist for the simple reason that they are effective from the cyberattacker’s perspective. 

As such, end-users must be taught not only how to recognize social engineering and phishing threats but also how to treat them, report them and ensure their colleagues aren’t falling foul to them. Accordingly, security awareness training (SAT) is among the most high-value mitigations any organization can perform to significantly reduce cybersecurity risk. Yet, it is difficult for many organizations to know where to begin when creating these programs. What follows is a handy guide that covers the various components that make up an SAT policy that will act as the basis for a comprehensive program.

Decisions, Decisions…

First, think about the goal that the organization is trying to meet with its SAT program. It could be something like: “To significantly reduce the organization’s cybersecurity risk due to participant actions and decisions when faced with social engineering threats, by using security awareness training and education. Participants should be able to better recognize cybersecurity risks, understand how to report risks and threats, and where to go for help.”

Next, think about compliance requirements and try to align SAT program elements to compliance documents. Many security controls originate from computer security laws, requirements, recommendations or best practice guides. Tying the SAT program back to one or more compliance document(s) will likely assist the organization in getting the necessary approvals and for justifying the ongoing expense of the program. If the organization falls under one or more regulations requiring security awareness training, it cannot hurt to “map” (i.e., link) to the specific control in the document as part of the policy. 

Once the goals and compliance requirements are mapped out, get senior management sponsorship and approvals. As with any security mitigation, senior management should be convinced of the need for the SAT program and be supportive of its implementation. This is vital as senior management must ultimately drive the organization’s security culture. A successful security awareness program will enable other parts of the overall business to prosper, and it should be communicated that way. Additionally, senior management’s ability to act as an evangelist and lead advocate for the program will yield lasting benefits in adoption and engagement across the business. 

There also needs to be thought given to where the program will originate within the business. While many SAT programs originate from within IT or IT Security departments, others may be assigned to a centralized training department or Human Resources. Think about the resources, budget, support and responsibilities required for a successful program and which business unit this will sit most comfortably with. 

Once these initial considerations have been made, here are some other factors to be aware of when creating the SAT program policy:

1. Consider the Scope 

Along with the goal of the program, all policies should indicate the scope of what the policy applies to. This includes the types of participants and roles, locations, business units and even what languages the SAT program should/must cover. Will the SAT program extend to contractors, partners and other types of third parties? The most common scope is described as “All Participants,” but it is essential to consider requiring its use by any entity that has access to your network or data. Hackers often target trusted third parties and vendors, leveraging a compromise in them to access other targets. Accordingly, an SAT policy scope may include something like, “All participants, vendors, contractors and third parties with access to our confidential data.” 

2. Define All Technical Terms

These could include words such as phishing, spear phishing, smishing, vishing, URL, etc. They should be formally described in the policy document to ensure all readers have a common understanding of them. Never assume that anyone or everyone understands all terms. 

Learn More: Narrowing the Cybersecurity Skills Gap Starts With Security Awareness Training

3. Decide on Internal vs. External Stakeholders

A good SAT program is difficult for any organization to develop and service using only internal resources. But even if an external vendor is used, one or more internal participants will be responsible for the SAT program. Therefore, it will need to be decided whether the SAT program is the responsibility of a single, completely dedicated participant or participants, the part-time responsibility of one or more participants or outsourced to a vendor who administers the SAT program on the organization’s behalf. Certainly, a dedicated participant(s) or an outsourced vendor who is able to concentrate on the SAT program is better than a part-time resource, although the size and resources of the organization can be a restraint to having dedicated resources. Many smaller companies outsource their SAT programs to other vendors, and many SAT companies offer to manage the program as one option. 

Whether the organization chooses internal or external resources, dedicated or shared part-time resources, the resources administrating your SAT program should understand the organization’s particular culture, needs and goals. 

4. Cover the Training Specifics 

The SAT program policy should cover the types of training, types of training content, when training exercises are performed, the frequency and how it is performed. For example, an SAT policy should state if training is conducted in-person, remotely, using in-person instruction, using pre-recorded videos, printed and/or electronic posters and newsletters, formal presentations, informal “lunch-n-learns,” games, quizzes, etc. It should also document if simulated phishing is used as part of training or if that is out-of-scope. The frequency and timing of standard SAT training should also be documented. 

Learn More: IT Leaders: Don’t Overlook Security Awareness Training for Employees

5. Set Expectations, Consequences, and Rewards

Finally, the policy should set out what is expected of employees and what they can expect having completed the training. For example, it should say that participants are expected to complete all required training in a timely manner and should set the expectation of both training and responsiveness to simulated phishing tests. Employees may be told that they should actively report their interaction with any simulated or real phishing campaign to the Help Desk or IT Security and that late reporting (before discovery by others) will not result in penalties. Organizations want to create a culture where reporting suspected phishing events is always encouraged, even if it is late. 

Consider communicating that if any employee types in their login credentials (even a simulated phishing test), they will be asked to immediately change their passwords. This will be based on a conservative conclusion that if the employee typed in their credentials to a simulated phishing campaign, they might have done the same to a real phishing campaign. 

Positive reinforcement is preferred to using only negative consequences whenever possible. For example, state that every successful report of a real or simulated phishing event will result in a positive notification to the participant – or if the entire department completes satisfactory training, for example, they could earn a lunch on the company.

Starting with a clear picture of what a security awareness training program policyOpens a new window should look like will put organizations in the best position to create an effective program patently understood by employees. Defining goals and the scope of the policy, along with setting expectations and getting buy-in from senior management, puts organizations on the front foot on their way to reducing social engineering and phishing threats to their businesses.

Did you find this article helpful? Tell us what you think on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d be thrilled to hear from you.

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA