To enable your organization to develop, maintain, and continuously improve an effective cybersecurity training program, you’ll need to secure strong support from management. You’ll also need to provide motivation to the user community to participate and track progress by periodically evaluating the program’s success. Some training methods are far more effective than others, so you’ll need to identify what works best. Consistency is critical, as is interdepartmental support. All of these essential elements are needed to create and maintain a culture of security awareness throughout the organization and to better protect valuable resources.
Depending on the nature of your business, management may or may not have enough information to allow them to fully comprehend the importance of cybersecurity training and where their vulnerabilities may lie. One way to emphasize the need for an effective training program is to gather recent articles and statistics from tech news sites and agencies like the FBI and Federal Trade Commission and present the data to those managers. Emphasize the fact that no technical control is 100% effective and that the user community is the last line of defense.
Make your case to managers by demonstrating how security training relates to risk management and how the failure to effectively provide that training can result in significant negative impacts to the bottom line. Speak in terms they relate to and try to avoid overly-technical jargon. Find some examples of how businesses like yours benefit from a well-trained workforce.
Stress the need for managers to be vocal in their support of cybersecurity training to help create a company-wide culture of security awareness and to promote cooperation between departments to ensure that everyone is on the same page.
Critical training elements
Your training program should be inclusive and should require employee participation. Simply sending out a monthly newsletter in the hope that staffers will read and retain the material in not sufficient. Tabletop exercises, classroom training, and online courses with quizzes work well, as do simulated attacks. Since the primary social engineering attack vector is phishing, simulated phishing attacks can be very effective at educating the workforce and these simulations can be conducted even if employees are working from home.
Make sure your training material is current. It should also be relevant. If, for example, your organization is a health care provider, the training material should include HIPAA data security requirements. If yours is a local government agency with access to criminal history data, CJIS requirements should be included.
Incorporating material that is useful to employees both at work and at home also results in better retention. If the information helps them protect their home networks and those who use them, they are more likely to remember it and that benefits their employers as well. Phishing and other social engineering training along with some basic cybersecurity principles are good examples of training material that applies both at home and in the office.
Consider offering some rewards for employees who complete their training in a timely manner. Incentives could include some time off or being entered into a drawing for a gift card. Consider making training completion a competition. Departments could compete to determine which would achieve 100% completion first, second, and third. Perhaps some reward could be provided to those groups that finished highest.
Continuous evaluation and improvement
Once you’ve created your training program, you’ll want to measure its success over time. You’ll also want to determine what is effective and what isn’t and make changes to ensure continuous improvement. Keeping the material current and including training about emerging threats is also important.
If you are using a tool or a training provider to run simulated phishing campaigns, there may be metrics automatically generated that will provide you with an initial vulnerability baseline, then measure progress across time. You may wish to use surveys to evaluate your program. These surveys could be sent to all employees or to specific stakeholders who could provide you with the feedback you need to continuously improve the training program.
Some training delivery solutions…
If your organization utilizes “Microsoft Defender for Office 365 plan 2,” you already have a built-in tool for running simulated phishing attacks and collecting metrics to gauge their effectiveness. There are third party providers of training as a service, including some that offer simulations as part of their programs. These providers typically furnish metrics for ongoing evaluation.
If you prefer to develop your own in-house program, organizations like the SANS Institute offer free cybersecurity training resources (see sans.org/security-resources/) that may satisfy many of your needs.
Per a July 2021 article posted to Heimdal Security’s blog (heimdalsecurity.com/blog), the average cost paid by individual organizations who suffered ransomware attacks during the first half of 2021 was $1.85 million. Organizations that pay these massive ransoms are often targeted again because they have been identified as being willing to pay. According to Digital Defense (digitaldefense.com/blog), phishing was number two among the top three ransomware attack vectors. If your company doesn’t maintain an effective cybersecurity training program that teaches employees how to recognize attack vectors such as ransomware phishing emails, serious consideration should be given to developing and deploying a program as soon as possible.