Today, many organizations have a security awareness program of some kind. Whether it’s annual compliance training or the orientation video warning new employees about phishing, it’s almost a standard now among industries.
However, security awareness programs vary in frequency, details, and execution. And it’s that variability which, unfortunately, can become a vulnerability.
Employees and users are the first line of defense against a cyberattack. Their training should be as robust as your organization’s other security measures. If it’s not, it may be time to reevaluate your security awareness program and how it’s reaching your employees.
What Is A Security Awareness Program?
A security awareness program is the compilation of compliance training, phishing lessons, and any efforts (videos, quizzes, events, content) to train employees to meet compliance requirements, and grow in their knowledge and application of security best practices.
Examples include annual HIPAA compliance training for an organization in the healthcare industry, a video on phishing, or even a mandatory reading on common security issues in the workplace. Security awareness programs take many forms and are commonplace in organizations that have a digital presence.
Not All Security Awareness Programs Are Effective
Just because many organizations have some form of a security awareness program, doesn’t mean the program is going to be effective at building a culture of security.
There is more to building a culture of security than just saying “something is better than nothing.”
Security Awareness Programs: Five Question to Ask to Determine Its Effectiveness
1. How Often Is Your Program Conducted?
Here’s a startling fact: Very few organizations train their employees monthly. Monthly may seem frequent but considering that people forget more than 80 percent of what they’ve learned in less than a month, the need for frequent engagement on the topic of security is a necessity for building a culture of security.
If your organization is only offering quarterly or yearly training, you are pretty much ensuring that the nearly all of the information you cover will be lost to time.
Frequency is key in helping employees take in — and remember — what was learned in training, as well as making sure it’s actively applied, not just scanned and forgotten. If you engage with employees more than once a month, they will retain more and for longer!
2. How Much Work is Involved in setting up and executing your program?
Do you have to select content yourself? Do you have to schedule it? Do you have to create it?
If you or your IT team must set up and deploy every aspect of the program themselves, what happens when you must put out a fire? Do your efforts to provide your employees with their training content fall to the backburner?
Or if you are trying to handle all the selecting and scheduling of content when do you have time to lead employees? When do you have time to have a conversation with them and deepen their understanding and implementation of secure practices?
Getting the admin work of an ongoing awareness program off your plate not only guarantees consistency, it also puts you in the driver’s seat to weave your program into a culture movement.
Consistency is key in establishing the importance of security principles. Don’t leave it to chance. Ensure you have an ongoing and consistent program.
3. Is Your Training Taking a Passive or Proactive Approach?
If you have your employees read a document on HIPAA once a year and then store it in their desk somewhere, those employees probably aren’t confident on compliance and are likely to make mistakes if a compliance issue arises.
Rather than just asking yourself how you can check the compliance box, it is important to make sure you are asking yourself how you can continuously keep security top of mind for your employees.
Proactive is always better than passive, and engaging your employees with current and relevant content that equips them to bring security principals to life, is a great way to make sure the information sticks and the risk is reduced.
4. How Much Information Are You Giving Your Employees in Training?
Having an employee memorize every aspect of industry-specific compliance requirements during a single training is a great way to ensure they’ll forget most of it. The human brain is best at absorbing four to seven pieces of information at a time, and if your training is just once or twice a year, the amount of information you’re dumping on employees likely far exceeds that limit – leading to forgetfulness, learning loss, and a lack of engagement.
As soon as we hit information overload, our brain rapidly starts to sort through the content we just heard and actively begin to dump any information it deems irrelevant. If we don’t re-engage on the topic, our brain lets it go!
Instead of overwhelming employees, the goal should be to share smaller and more direct bite-sized pieces of information on a continuous basis.
5. Does Your Program Build Distrust?
The worst outcome of your security awareness program would be to hinder security awareness. Never would someone knowingly set out to build their security awareness program to completely offput employees and make them avoid it like the plague.
But, unfortunately, there’s a negative backsliding that often occurs without realizing it.
Take for instance, the goal in an awareness program to help employees recognize phishing emails by practicing with phishing simulations.
The intention begins at, “Teaching employees to recognize phishing emails.” So, you start sending phishing simulations. If employees perform well at recognizing and avoiding the threats, there’s sometimes the temptation to make them harder, then even harder, then even harder. If you continuously are out to trick employees and have consequences associated with that like a longer training that has nothing to do with the phishing email they just clicked on, pretty soon you’re going to have a group of employees who want to avoid anything to do with the awareness program because they feel that all you’re trying to do is trick them and punish them.
Instead of shaming employees, focusing on failures, or even crossing the line into tasteless temptations, as in the case of GoDaddy in 2020, promising employees a bonus only to reveal it was a phishing test, you are building distrust. This distrust will completely undermine any efforts you make to instill security into your organization.
Instead, seek out a program that focuses on positive reinforcement, and with the heart of a teacher, always have time to patiently and with kindness show people how to improve.
To better understand Security Awareness Programs and what your organization should be looking for when selecting one, check out our webinar: So, You Want To … Level Up Your Security Awareness Program.