Every organization needs cyber security awareness training. The focus and depth of training may be different, but everyone needs it.
Here are some insights from the Verizon 2021 Data Breach Investigations Report to drive this point home.
85% of breaches involved a human element.
The top pattern observed in breaches was social engineering.
The top variety of social engineering was phishing.
Now, don’t take this information and assume you only need to train employees how to spot a phishing email.
The report also shows that incidents and data breaches are caused by privilege abuse, data mishandling, unapproved workarounds, and more.
This simply shows that the human-element of security is a commonly exploited vulnerability and should be taken seriously by all organizations that hire humans. One way to help mitigate this is with some cyber security awareness training.
Now that you are super motivated to go create a training program for your organization, here are five tips as you get started.
1. Identify your objectives
One possible objective could be to familiarize or educate employees on threats, security measures, and organization security policy.
Another could be changing your security culture by changing bad habits, creating buy-in, and fighting complacency.
If you get even more specific, you could say your objective is to decrease the annual number of security incidents by 50%.
2. Include role-specific training
There are a lot of topics you will want everyone in your organization to learn but you should also include training that is specific to different roles within your organization.
For example, managers, supervisors, and other organization leadership might need more exposure to your organization security policy so they can provide feedback to improve it, enforce it, and (most importantly!) create buy-in among employees.
Alternatively, system administrators and other IT personnel may require additional training. There may be more specific security policies that affect your IT personnel, but that the rest of the organization doesn’t need to know about. These individuals also need to be the most aware of threats and how to respond to them.
There may be more roles that require a tailored training regimen. This doesn’t mean you need to create something for every specific person or every work center at your organization, but you need to make sure the training is applicable to everyone and identify those who need more specific or more in-depth training.
3. Experiment with different delivery methods
Training isn’t one size fits all. Try different methods and see what is best received in your organization.
Options: In-Person Training/Presentation/Discussion, Online training, Email Training Material to Employees, Security Posters Around Workplace.
Each of these options have pros and cons for the level of information retention they will provide, workplace disruption, and cost.
4. Depth of training
It is called AWARENESS training for a reason. Keep it simple and focus on your main objectives.
If the training is going to take quite a bit of time, try to spread it out over time so employees can absorb a little bit at a time. I’m guessing an annual 8-hour slideshow presentation isn’t going to help anyone.
5. Topic Ideas
There is an endless number of topics you can consider for your training, use this list to help you get started and pick the topics most relevant to your organization.
- Organization Security Policy
- Social Engineering
- Removable Media
- Internet Browsing
- Physical Security
- Incident Response
- Personal Device Use
- Wi-Fi Access
- Social Media Use
- Sensitive Information Handling
Creating a cyber security awareness training program is important for organizations of all sizes and it doesn’t have to be complicated or difficult. If you need help with cyber security awareness in your organization, schedule a free consultation with Agler Security Consulting to learn how we can help!