Has your company decided to take the plunge, and start a regular schedule of monthly online security awareness trainings for your employees? Great! You’ve just taken a big step toward hardening your cybersecurity defenses. Now what?
Chances are, you’ve purchased a cloud-based, subscription model that automatically updates the education base to match the latest cybersecurity threats. While it may seem like a program that should run itself autonomously, it’s not. It’s time to set up some governance around your training program to make sure it runs smoothly.
You’ll need to prepare your systems not just for the new program, but for the monitoring and reporting that will be generated by the courses. You’ll need to check your security awareness program for compatibility, and make changes to your cybersecurity policies, too.
Fortunately, onboarding and managing security awareness training is simple, if you get your governance right from the start. An MSP with governance expertise can be a huge help. At Integris, helping clients with Security Awareness Training is a big part of our business. Here’s the steps we walk our clients through as we add Security Awareness Training to their systems.
What to Consider as Your Set Up Your Security Awareness Training
#1—Evaluate the Threat Landscape
Before you begin with a security access training program, it’s important to understand the threats your company is facing. For instance, are you handling large amounts of customer financial data or health care data? Are there specific types of phishing attacks that your employees might be susceptible to? You’ll need to take all that into consideration when you’re shopping for your security awareness training program. If this isn’t included in their base training program, inquire to see if they have extra modules or customized options available.
#2—Get C-Suite Buy-In
This goes for pretty much any IT investments you are making. Your executives should understand the importance of your security training investment, so they can become cheerleaders for it within the organization. Involve them whenever possible in the shopping and vetting process so that they feel their areas of concern are covered. When it’s time to enroll employees in the training, you’ll have a ready set of evangelists who can talk up the program and guarantee their reports will participate.
#3—Look for Continuous Training with Creative and Engaging Content
Not all security awareness training programs are created equal. This is why we recommend that you test drive the modules as much as you can before you buy. Your organization’s success with the training will largely hinge on the quality of the programming.
Specifically, you’ll want to look for SAT training that has:
- Continuously updating material—so that new training tracks closely with some of the big hacks and cybersecurity news stories they may be seeing in the media. This will help you stay ahead of emerging threats before they hit employee inboxes.
- Interactive Modules—so employees are engaged with the material. Look for security awareness training programs that have good production quality, with realistic, real-world examples, and test-as-you-go functionality.
- Varied formats—including videos, quizzes, skits and more, so employees don’t feel like they’re being preached to, or they’re having to participate in a dry lecture.
#4—Establish Metrics and Key Performance Indicators for the Program
The adage “you can’t manage what you can’t measure” truly applies here. Before you start, create a picture for what success will look like for your training.
The KPI’s you choose will be different for every organization. However, most organizations we work with are tracking for these metrics:
- Participation rates
- Completion rates
- Grades on comprehension tests inside the modules
- Staff results on penetration tests conducted after the training begins
#5—Compliance with Regulations
Most compliance regulatory frameworks will require some level of security awareness training for your employees. Regulators for banking, health care, and government manufacturing/contracting are especially rigorous. Before you purchase a program, check with the regulators governing your cybersecurity about what they expect. Most will recommend best practices, even if they don’t get directly prescriptive about the content of your training program. In most cases, they will simply ask for proof that you have the training. To avoid compliance related security gaps, it pays to have an awareness program that is customized to your regulatory load and documentation needs.
#6—Role-Based Training
Are there areas of your company where employees have higher risk roles? If so, you may want to consider security awareness training that has custom modules for these groups. This will allow you to stair step your training appropriately.
What to Do After Your Security Awareness Training Program Starts
If you’ve laid your groundwork properly, you’ll already have executive champions who can help you with your rollout effort. You’ll need to provide strong written guidance to your corporate communications and human resources departments, so they can accurately communicate expectations to all employees and new hires. Include information about what the platform does, how often employees will be required to take courses, and how to step through the onboarding process.
The next step is drafting registration and onboarding emails for your staff. Coordinate with your training vendor, determining who will handle the influx of calls from employees who may have questions about their platform sign-ons during the onboarding process.
Once you have your program in place and running, it’s time to start delivering on the metrics you have set. We highly recommend investing in phishing simulations, ideally conducted every few months. These can either be created custom or purchased through your MSP or training platform provider. They can test employees directly by mimicking some of the lessons they’ve learned in recent modules. If employees failed the phishing test, you know it’s time to invest in more training reviews.
Fostering a Cybersecurity Culture at Your Company
Your security awareness training program will only be as good as your commitment to it. Your company’s cybersecurity culture is crucial. There is, however, a right and wrong way to achieve good corporate cybersecurity hygiene. Too many companies resort to micromanagement and fear to get results.
Here’s why I think that’s counterproductive. Your employees will buy into your cybersecurity program when they feel like they are partners in your cybersecurity success. Your penetration testing (PEN) program is a great opportunity to build that partnership with employees. Instead of conducting your testing in secret, let your employees know they’re planned. Give them the challenge of helping you find the bugs and traps you’re seeding in the system. Celebrate the employees with the best scores and do a debrief of what the test included. You may be surprised how invested your employees get in the outcome.
Monitoring and Tracking for Your Security Awareness Program
As part of your pre-purchase due diligence, your IT leadership should have checked the reports and monitoring protocols for your SAT platform and ensured that coordinated with your existing reporting structures. But did you know SAT training reports can be a great third-party attestation of your good security practices?
The reports and grades you generate with SAT can have many uses, including:
- Creating trackable key performance indicators showing proving continued security improvement to your C-Suite
- Offering proof of training to regulatory groups who are conducting cybersecurity assessments of your company
- Proving your good cybersecurity practices to potential clients and vendors
- Showing ongoing security skills development that can be part of your employees’ human resources files
The benefits of security awareness training are far ranging. Make sure you’ve captured that in your tracking and reporting.
Interested in a Security Awareness Training Program at Your Company? Integris Can Help.
As a national managed IT service provider, Integris has helped hundreds of companies across the country create meaningful security awareness training programs. We’d love to help you too. Contact us now for a free consultation.