So you’re interested in implementing a security awareness training program for your employees.
That beg’s a few questions:
- What should be included?
- What shouldn’t be included?
- Should it be customised for different employees?
- What’s the best way to implement security awareness training?
- How do I ensure the program is successful?
In today’s post I run through the key elements of a successful security awareness training program.
Company Wide
First things first, it’s important that your security awareness training program is rolled out company wide. It’s not enough just to train individual departments, or people in specific areas of the company.
Security needs to be taken seriously within your organisation, and unless all staff are trained on best practices, it will never be treated as a priority.
Senior Commitment
Your senior executives need to be 100% committed to implementing your program. That means they need to be aware of best practices themselves, and ensure that security awareness is treated with importance. If senior employees don’t treat security seriously themselves, employees in the rest of the organisation won’t either.
It’s also important that security awareness training isn’t just delegated down to one department, without real senior buy-in. Other projects will take priority over the roll-out of training, and that will result in a program which is ineffective/unfinished.
Tailored Training
Different members of your organisation need to be supplied with different levels of security awareness training. It doesn’t make sense for your software developers to receive the same training as your receptionists. Likewise, it doesn’t make sense for your chief executive to receive the same training as a middle manager, either.
Employees involved in building the applications you use everyday in particular should receive additional security training. We previously discussed that in How to Start Securing Your Organisation’s Applications.
Information Security Focus
The core focus of an effective security awareness training program should be information security. It’s a lack of information security awareness that causes the biggest threat in organisations, as we explained in our previous post: How to Reduce The Biggest Risk to Information Security.
This means training all staff on how to keep data secure wherever they’re taking it, or accessing it, be that from home, a coffee shop, on their mobile or connected to an airport’s wifi. It also means ensuring that employees are only given access to the systems and information they need and are well trained in password best practices. Weak passwords are one of the biggest threats to information security.
Roll-out of Basics
An effective security awareness training program should have a basic element which everyone is trained in. This basic program needs to cover the absolute minimum that everyone in the organisation needs to know. More advanced tailored training can then be issued in addition to this.
It takes time to develop a comprehensive training program, and by rapidly rolling out a basic program, you can start tackling the biggest risks ASAP. There’s lot’s of cost effective computer-based training programs available to help you roll-out a basic awareness program like this.
Measurement
Last, but not least — you need to think about measurement. That means testing your staff on security awareness both before and after courses. It’s not enough just to assume that because you’ve put employees on a training course, they’ll now implement the practices.
Regular testing is important to ensure that security awareness remains a priority, and that organisation employees are continuing to use the best practices they’ve learned.
Other metrics can be analysed to measure the effectiveness of security awareness training programs, too. For example, you could monitor the number of security breaches reported and information leaks. For a real test, it’s worth regularly hiring penetration testers in order to find weak links in employee training.
Have any suggestions for other things that need to be considered when developing a security awareness training program? Share them in the comments below!
