Best Practices for Security Awareness Training Success

As cyberattacks surge, security-savvy employees are your organization’s first line of defense.

Verizon’s 2021 Data Breach Investigations Report, which analyzes 29,207 “quality” security incidents across 88 countries, found 85% of confirmed data breaches in 2020 involved human interaction.

Cybercriminals and state-sponsored hackers are aggressively targeting people, and no one is immune to security slip-ups. High-profile incidents involving Google, Facebook and Twitter all resulted from social engineering strategies that successfully deceived employees.

From password best practices to spotting phishing, business email compromise (BEC) and deepfake attacks, ensuring employees at all levels of the business are up to speed and taking their security responsibilities seriously has never been more important.

“I think it’s very easy in security to forget that what we’re securing is not the computer. What we’re securing is the organization. The organization is the people as well.”

–Gabe Bassett, Senior Information Security Data Scientist, Verizon

Comprehensive security awareness training is one of the most cost-effective ways to minimize risk, but many organizations don’t recognize the need to implement continuous training initiatives. According to a recent report, only 35% of security leaders classify security awareness training as a “top priority.”

Traditional Approaches Are Doomed to Fail

Traditional security awareness efforts often focus on compliance with regulations such as PCI-DSS, SOX, HIPAA, GLBA, FISMA and—more recently—GDPR and multiple state-based data privacy laws. But implementing a security awareness program is more than just a check-the-box compliance exercise: it’s a business imperative.

A 2020 survey of 1,200 employees on their cybersecurity habits, knowledge of best practices, and ability to recognize security threats found that 60% of respondents who failed a basic security quiz reported feeling safe from threats. And sadly, 80% of employees who answered all seven quiz questions wrong reported having received cybersecurity training from their employers.

The bottom line is that awareness gaps put your organization at risk. If you don’t provide users with specific information about what they should and shouldn’t do under certain circumstances and motivate them to promote your security goals, the responsibility for any damage they cause lies with you.

Here are nine best practices for making your security awareness training program a success.

1. Evaluate Your Current State

Before you can advance your efforts, you’ll need to consider the strength of your existing security awareness program or security culture. Professional assessments, as well as free resources such as the 2021 SANS Security Awareness Planning Kit can help you ascertain how mature (or immature) your program is, identify short and long-term goals, and communicate your efforts to leadership.

Source: SANS Institute

Taking baseline measurements related to current phishing susceptibility and cybersecurity knowledge levels will enable you to track your program’s progress. Record the number of employees falling prey to simulated phishing attacks, how many are reporting suspicious emails, the overall volume of security-related calls received by IT analysts, and the rate of malware infections.

2. Go All-In

Make it a company-wide program that includes buy-in from security leaders and other C-level executives all the way down to individual managers. Update your organization’s overall vision or mission statement to clearly communicate that security is non-negotiable. Let employees know what’s in it for them; they’ll be more invested if they understand security awareness extends beyond corporate concerns to protect against threats to their identity and financial security.

3. Mind the Culture

Focus on building a strategy that blends your security awareness program with your existing corporate culture. Initiatives that are carefully tailored to your industry as well as workforce demographics, regions, departments, and roles will help your employees see security as part of their story.

4. Set Flexible Goals

Work with stakeholders to identify the top concerns and risk factors in specific areas of the organization and develop a calendar of activities to address them over time. Set reasonable, incremental goals and be prepared to make changes if initial approaches fail to produce positive results.

5. Keep Messaging Clear and Current

Communicate the value and purpose of your awareness program early and often. Users should understand exactly what’s happening, why it’s happening, and their role.

Focus on attention-grabbing content that’s relatable and can make an impact on their personal lives. Repeatedly reinforce key messages, but not how they are delivered. Diversify media and determine what drives the most change.

Annual efforts are not enough. Threats are constantly evolving, and employees need to be informed of the most recent events and attacker tactics, techniques, and procedures (TTPs). Maintain ongoing, up-to-date awareness activities aimed at integrating training into daily workflows. This will keep the latest cybersecurity best practices top of mind, and better equip employees to defend your business.

6. Leverage Gamification

Traditional training methods can be boring and—according to the Ebbinghaus forgetting curve—people forget about 50% of all new information within an hour of learning it. Incorporating gamification into your awareness program can make security training more memorable and encourage active engagement. However, it’s important to note that gamification is more than just putting information in the form of a game in the hopes of changing behavior. True gamification is a reward system that positively reinforces learning.

“The simplest form of gamification is immediate feedback when you answer some prompt: Get it right, and you get a star or a point or a badge. Akin to getting likes on social media, this kind of immediate feedback answers the very simple but powerful human need for validation.”

— Michael Osterman, President, Osterman Research

Implementing effective gamification can motivate your employees not just to participate in training but to take it seriously, so they have a chance of winning. What you reward them with depends on your corporate culture: it could be individual or team recognition, points, prizes, or even money.

7. Incorporate Technology

Humans and technology work together to detect and respond to threats. In addition to tools that help mitigate attacks and human error—such as data classification, email security, endpoint detection and response (EDR), data loss prevention (DLP), identity and access management controls and behavior analytics—security awareness training platforms can boost your educational efforts, and assess knowledge levels with both ready-to-use and customized interactive software modules.

They provide a variety of content delivery methods (one- to two-minute microlearning lessons, interactive lessons, and episode-based, Netflix-like shows) in styles that can be tailored to the needs of specific roles or audiences. Presenting the same information in multiple forms increases retention rates.

8. Avoid Punishment

Mistakes are inevitable, regardless of how strong your program is. Security incidents should be treated as learning opportunities rather than cause for punishment. If users fear they’ll be singled out and blamed, reprimanded, or even fired for security-related blunders, they’ll be far less likely to report them.

Taking a “more carrot, less stick” approach will encourage employees to share their experiences and make them feel like collaborators.

9. Measure, Measure, Measure

Develop metrics to assess the impact of your program and demonstrate return on investment (ROI). Compliance metrics that focus on training completion and other requirements should be accompanied by behavior-related metrics that focus on test results, phishing campaign clicks, and the performance of high-risk individuals to help determine whether you’re preventing more attacks, detecting more incidents, and ultimately reducing more risk.

Properly configured technical controls support tracking and reporting, and security awareness training tools can segment user data to collect program metrics. They offer analytics to help identify areas that need improvement and employees who may need supplemental training.

Never Forget the Human Factor

The majority of today’s threats require humans to activate them, and you can’t automate intuition. By moving beyond traditional security awareness training towards an engaging approach that bakes security into everything your employees do you can promote positive behavioral change, reduce the impact of incidents, and start delivering a culture of cybersecurity to your business.

Contact us for more information about developing or maturing your organization’s security awareness training program.

References

1. Verizon 2021 Data Breach Investigations Report
2. nVisium 2020 Current State of Cybersecurity Awareness
3. TalentLMS The State of Cybersecurity Training
4. SANS Institute 2021 Security Awareness Planning Kit
5. More Scoring, Less Boring: How Companies Can Gamify Security Training
6. 5 Ways to Challenge the Forgetting Curve