We all make mistakes, but when it comes to your security awareness training program, even small mistakes can have huge (and costly) consequences for your organization.
Discover the top three (3) common mistakes that your organization might be making in its security awareness program. Don’t worry you’re not alone. Most organizations make at least one of these common mistakes and we wanted to provide some advice on how to improve.
1. Too boring
Everyone knows the phrase: if it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck. Well, if your security awareness training looks like a chore and feels like a chore, then it probably is a chore.
Providing chore-like training will do more harm than good for your employees’ ability to learn and retain best cyber practices. Using overly technical terms and boring employees to death are two issues we see far too frequently in security awareness training. Both of which far too often lead to inevitable mistakes and even breaches.
Just like any type of training, you must know your audience. You don’t teach a Day One med student how to perform open-heart surgery, so why would you teach your employee’s about cyber security with complex technical procedures?
The solution? Have fun! Making it relatable, enjoyable, and comprehendible for every member of your organization is the key to a well-rounded security awareness training program.
There’s an argument, “you can’t have fun and be serious at the same time.” My rebuttal is, who decided that? The point of making something as important as cyber security training fun is that it engages people to care and no longer view cyber threats as something that can’t be stopped.
2. No goals
You can’t win in security awareness training. There’s no end so you can’t treat your goal as a finish line because there is none. The primary goal of security awareness is to create momentum towards building a security culture.
And the reason for this is because cyber security is not controlled by one individual in your organization, every person plays a part. As we know, mistakes are a part of life and so are ever-advancing and never-ending cyber threats. Sorry to be the bearer of bad news but it’s about learning from these mistakes so your employees will actually learn what they’re supposed to do to help prevent cyber attacks.
Don’t worry, now onto the good news. There are a number of things you can do to defend against these threats and attainable goals:
- Celebrate the little wins. When employees score high on an episode quiz or catch all of DeeDee’s phishing simulations let everyone know. It helps build comradery amongst your employees and even some healthy competition.
- Listen to the feedback loop. Regularly check in with your employees on how things are going. Questions like: What is working (or what isn’t working)? How can we improve our current process? It will help to tweak your security awareness training program. Every organization has different needs and you’ll only find out by asking.
- Create an open line of communication between management and employees. Management should be communicative and candid about phishing results and any cyber threats they face. And on the other side, employees should feel comfortable enough to tell management if they’ve clicked something odd without fear of punishment.
- Lessons should be learned. In the event that a cyber problem does come your way, how will you react? The ability to learn from it and make adjustments is key. When a pro athlete doesn’t make the game-winning goal or touchdown, they don’t quit. They learn, adjust and practice until they achieve their goal.
It’s important to point out that most of the goals above aren’t based on numbers. Having your employees not fall for DeeDee’s phishing tests is awesome, but it’s not the only way to deem success. The main goal of your security awareness training program should be to build a security culture and make your employee’s more cyber-aware.
3. Too inconsistent
Consistency is critical to any learning process. There’s a reason kids have the same routine for 18 years in school. Security awareness training is no different. Opting exclusively for annual training or being strictly compliance-focused is not the same as having a comprehensive security awareness program that’s consistently delivered throughout the year.
Think about it — hackers aren’t waiting every 365 days to attack, so why should you? There’s no such thing as ‘one and done’ when it comes to cyber security training. It’s time to put an end to the myth that annual training works because it’s the equivalence of a straw fort as your main line of defense.
With compliance frameworks such as SOC 2, it can be tempting to make compliance the sole focus of your security awareness program. However, it’s important to remember the big picture, which is effectively training your organization’s employees on cyber security.
So how can you avoid this? Simple: by building a culture of ongoing training. Think of your security awareness training as changing your sheets. It should be done frequently or else you’ll face the smelly repercussions. Don’t be the person who metaphorically only changes their sheets once a year or the organization that only hosts annual cyber security training.
The biggest mistake in security awareness is simply not caring! If management doesn’t care then your employees won’t care either. If your employees don’t care, then hackers will definitely take advantage of their complacency.
Going back to our pro athlete analogy, you don’t become a sensation overnight; it takes years of commitment, care, and practice to make it in the big leagues. The results you want should match the effort that gets put in.
Here are a few things you can do to show you care:
- Provide fun and enjoyable training
- Reward employees who catch DeeDee’s phishing simulations (rather than punish the ones who don’t)
- Open communication between you and your employees
- Listen to feedback and make improvements
A common theme we see is organizations only caring about training once they’ve experienced a cyber attack themselves. The most frustrating part is to see how easily it could have been prevented with a simple security awareness training program. Sometimes people need that bucket of cold water splashed in their face in order to make a change. It’s well-known that preventing a breach is much less costly than recovering from one.
As you can see, there’s no silver bullet in security awareness or big secret to fixing any of these mistakes. All it takes is a fun, goal-oriented, and consistent security awareness training program to get your organization’s security culture in shape.