3 Core Elements of a Security Awareness Training Program

So, you’ve accepted the fact that your employees (including you – and me for that matter!) are far and away your weakest link when it comes to the security of your data.

You know that even if you perform periodic risk assessments, and even if you create and document the most airtight IT policies, all it takes is one person clicking one rogue attachment and boom – your entire network is infected with ransomware.

New Call-to-action

Now you want to do something about it.

If you’re looking to educate your team on the types of security threats out there, what they look like, and how to avoid them, the best way to do so is to implement and maintain a Security Awareness Training program.

There are three core elements to a successful program:

  1. The Annual Training

Hold an hour-long all-hands meeting. If you can’t get everyone in the room at once, start with a virtual all-hands meeting (and record it for those who come aboard later).

Teach your staff about current security trends, and offer recommendations for day-to-day use of technology. You might, for example, spend time talking about spear phishing and how scammers will often pose as CEOs demanding time-sensitive wire transfers. You’ll want to emphasize that your team needs to anticipate these scams, and to always confirm that these emails are legitimate (i.e. pick up the phone and ask) before responding.

Some other key areas of focus are creating strong passwords, how to identify a sketchy website, what to do if you suspect your machine has been infected, and so forth.

Your IT team should be able to help you put together the content for these sessions. If you don’t already have policy documents to codify what you’re teaching, seize the opportunity.

  1. The Monthly Refreshers

Threats evolve and people forget, so your annual meeting alone will not be sufficient.

Each month have your IT team send out 1-2 helpful tips to your staff to reinforce and expand upon what you covered during training. The purpose is twofold: (1) to offer helpful, educational information, and (2) to keep security top-of-mind.

These don’t, of course, have to be monthly; find the cadence that works best for your company and keep it consistent. Just be careful not to pelt your people with tips too frequently or they’ll end up tuning them out as white noise.

  1. The Random Tests

On top of these recurring events, throw some surprises into the mix to keep your team on their toes.

We’ve seen companies have great success with phishing simulators like KnowBe4 that will send out fake scams and see whether or not your team falls for them. If they do, they’ll be required to complete a related training activity.

These “tests” provide interactive reinforcement to drive the information home. The results will also help inform your training sessions, as you’ll see plainly how savvy your staff is and where they could use some extra education.

As with any program, it is absolutely critical that you remain consistent; the minute you drop the initiative, you are communicating to your staff that this isn’t actually a priority, and that they need not take it all that seriously.

New Call-to-action

So work with your IT team to get the outline in place, and work with your leadership team to keep the rollout moving forward systematically.

The safety of your data depends on it.


As originally published in the American City Business Journals