With phishing and ransomware attacks as prevalent as ever, one of the biggest concerns of many CISOs is that their organizations’ employees haven’t received enough training in regard to preventing social engineering.
A lack of security education can result in an organization not only being open to phishing attacks and other cyber security risks, but also can result in the organization having slower reporting and resolution times for incidents, or even a complete failure to resolve incidents. While most CISOs understand that security awareness training can be a powerful tool against cyber security risks, the challenge is how to build a program that will be effective.
This article covers of a few essential steps to creating a cyber security awareness program that focuses on risk mitigation.
Step 1: Understand the Baseline
To build an effective cyber security awareness program, the first step is to understand how effective any current awareness initiatives are that inform employees of cyber security risks and strategies for mitigating those risks. The metrics used to measure effectiveness should focus primarily on evaluating the analysis performed to build the program, the planning of the program, how well the program trains employees, and how well the program reinforces employee training.
When developing the metrics to evaluate the effectiveness of each area, the organization may also factor in compliance of the training program with the requirements outlined in NIST, GDPR, and other relevant industry standards and regulations.
When the numbers have been run and a score is developed based on these tailored metrics, it is important to look at not only the raw numbers when determining areas of improvement but also the organizations score compared to other similar companies- whether they be similar in size, industry, or are subject to different compliance and privacy requirements.
Step 2: Determine the Appropriate Audience
Organization-wide participation is the cornerstone of an effective cyber security program. Well-developed security awareness training materials can be rendered useless without awareness by the full organization. Put another way, an organization’s awareness program is only as strong as its least-aware employee.
While all those with access should be trained on the basics of protecting the organization against cyber security risks, it may be that different cyber security awareness training materials or reinforcement training materials are more targeted toward a particular group (i.e. a training on hardening standards for firewalls might be more relevant and appropriate for the network security team than for human resources personnel). When determining group participants, the roles and job functions present within the organization and the content of the training should be considered.
Step 3: Select High-Impact Content.
With a broad spectrum of possible cyber security awareness topics covering areas such as identify theft, password security, data retention and destruction, PII best practices, mobile application security, and many more, it’s easy to understand why selecting content for a cyber security awareness training program can become an overwhelming task.
To help streamline the content types, it’s helpful to remember it should be selected with the goal of mitigating risk. It follows that when creating the content for a cyber security awareness program, topics should factor in the following:
- The type of incidents that pose the highest risk to the organization based on the organization’s assessment of cyber security risks.
- The risks identified by monitoring tools and security ratings tools.
- The areas of weakness determined by any prior awareness assessments, such as the results of quizzes or phishing simulations.
- Topics covered in the organization’s cyber security policies and procedures.
- Topics required by relevant regulations and industry standards or as mandated by clients of the organization.
There are also a multitude of content types to choose from when developing a cyber security awareness program including, for example: phishing simulations, games and contests, round table discussions, quizzes, best practice checklists, infographics, videos, newsletters, e-learning modules, and so on.
Here again, the focus should be on selecting the content type that will resonate the most with the organization’s employees. While every organization will have different content types that work best for them, all content used should clearly delineate why training is important to employees, be simple and clear, and be relevant and up-to-date.
Step 4: Set a Plan and Deploy
Setting the timeline for awareness training –especially the initial roll-out of training for organizations that are just beginning their awareness efforts—should consider the availabilities of the key stakeholders and contributors to the program.
Other considerations when laying out the timeline may include audit or compliance deadlines or time-sensitive opportunities for increased awareness, such as cyber security awareness month, or a recent breach.
Step 5: Ongoing Updates
Lastly, and perhaps most importantly, is to update the cyber security awareness training program on an ongoing basis.
Understanding the results of training efforts allows organizations to determine their progress against the baseline and update training materials to produce increased awareness. These measurements might include not only the metrics used when establishing the baseline, but also qualitative results such as user feedback, level of engagement at any training sessions, and so on.
Based on the progress in employee awareness, the training program should be updated to improve any areas of weakness as well as user feedback and suggestions. Furthermore, training should be updated to reflect changes in the cyber security risk landscape of the organization.
Armed with a cyber security awareness program that is customized to facilitate risk mitigation, employees can contribute to an additional layer of defense against cyber security attacks.