As cyber-attacks are on the rise, companies are becoming ever more aware of the need to implement security awareness programs to train their employees against these attacks. Routine training is essential, but is the security training employees receive as effective as it could be? Most of us have gone through training programs (the dreaded PowerPoint presentation) at work that we had to complete for compliance purposes. However, a couple of weeks later we forget all about it because it had no impact on us personally. It was just another procedure we completed, and we move on with life. What if the training appealed to us personally? Standard training may require implementing new tools or procedures, but effective training goes beyond that. There are 4 keys for successful training that will make all the difference for employees as well as corporations.
Have Metrics and Measure Training Effectiveness
How can metrics improve training? Metrics enable you to objectively assess the effectiveness of your training. Having accurate data points to quantify and validate the effectiveness of a training program is achieved by implementing realistic testing. This will enable you to identify not only the number of employees who successfully complete training, but also the rate of behavior changes as a result of training. Analyzing the results of the tests in relation to the training can help determine if your training program is having the desired effect. It can also reveal any deficiencies and areas where employees struggle the most. Executing a training program without measuring its effectiveness would be like playing darts blindfolded. The clearer your focus on the target or goal, the better your chance of success.
Offering just one form of training, repeated over and over again, may not be effective for all users. In addition to training via the company’s intranet, including newsletters and splash pages featuring current topics could increase the interest of the employees. Others may enjoy learning at in-person events such as lunch and learns. In this relaxed group setting, employees can feel more connected to the information given in the training. Also, many corporations find it beneficial to send some of their employees to conferences that offer training on the different aspects of security awareness. Adding layers to the training will ensure that the information reaches more people.
Humanize Your Training
It is common to blame the recipient when training doesn’t yield the desired results. But could there be a deficiency in the training method? Focusing on the human aspect of security training will help identify any gaps in the training. Many companies give the same training to all employees, regardless of their job duties. However, “one size fits all” training is not effective. Security awareness will vary from one department to the next. The risk for someone who works in accounting will differ from that of an executive. The training they receive could have nothing to do with their job. If the training seems irrelevant to the employee, it will not provide effective teaching.
For security awareness training to be effective, it needs to be interactive and multifaceted. The different facets of the training should have sections that speak to the different styles of learning, whether audio, visual or hands on. This will keep employees engaged in the training and thus will be more effective.
Care About Your Users
Communication is vital for information security training. To develop good communication with employees, a corporation needs show that they don’t just care about what happens at work, but also how the training they’re providing benefits the employee as a person. If an employee’s personal computer is compromised and they’re worried about losing pictures of their loved ones, can they really be productive at work? To keep employees interested in the training, it’s important to pick topics that are relevant. If we’re to invest our time and attention, we need to know: what’s in it for me? The focus should be not only on how to protect the company, but also how the information given will help employees protect their personal information, as well as their family & friends.
In the business world, great importance is given to building relationships with clients by establishing trust. It is just as important to build a relationship of trust with our employees. Therefore, we need to consider the employees’ feelings when launching a security awareness training. Sadly, there have been instances where corporations tested their employees by sending phishing emails that promised them an end-of-year bonus, only to find out, it was not real. What lessons do employees learn when they are left feeling demoralized? Tests that elicit a visceral fear response are not effective. Instead, we need to humanize our fellow employees so they can view the training/testing as a tool for them, not as an adversarial attack.
It’s not just about giving training but measuring how effective the training is. Assessing our training can help to identify any gaps. Then, we can re-evaluate the delivery and make it relevant by including topics that people care about. Security awareness training should focus not just on the end goal, but also on how it will affect the people that serve that business. A point to remember is we’re not only training our employees, but we’re also building trust. We do this by implementing empathy in our testing. Any type of training whether, phishing, vishing etc., should not be fear-based. Employees need to see their IT departments as advocates, not adversaries.
When influential information security practitioner Kate Mullin was a guest on the Social-Engineer podcast, she said, “Part of employee engagement is, you need to care about them, and it can’t be fake. It has to be real.” Implementing a security awareness program that takes into account not just the business’ needs but that of the employees, can create a partnership that results in everyone being more secure.
Want to Humanize Your Training?
Social-Engineer provides custom managed services to assist organizations in the assessment and education of their human network. We take a personalized approach to training and testing. Our team of expert social engineers focus on the tactics hostile attackers use to influence and manipulate people via phishing, vishing, and impersonation. We will assess your organization’s vulnerability to a social engineering attack. Then we will provide customized training and guidance to make your company more secure. For detailed information about the services we offer, please visit Social-Engineer.com/Services.