As cyber threats continue to grow and online criminals attempt new tactics to trick employees into taking actions that can put sensitive data at risk, employee participation in security awareness training programs is more critical than ever. How can organizations effectively engage staff in security awareness training?
In this article we cover:
- Clear Communication for Employee Participation
- How to make Security Awareness Training Fun for Employees
- Common Mistakes in Security Awareness Training Programs
In 2019, we saw an explosion of ransomware attacks that impacted industry, government and hospital, and the growth of attacks has continued and evolved in 2020 during the global Covid-19 pandemic. So, what best practices can create employee engagement, increasing participation and ensuring a constant awareness of threats?
Management’s goal should NOT be to use fear, uncertainty and doubt (FUD) as the primary mechanism to change employee behaviors, because scary headlines alone will not change end user actions. Rather, follow these three time-tested steps to improve your security awareness program and lower organizational risk.
Three Priorities for Employee Participation
1. Clear CommunicationYou’ve probably heard it a hundred times: Great communication is the key to success in any team project. But what does that look like? Here are some tips:
- First, communication must be clear and understandable. Make sure your messaging is targeted at addressing the needs in your organization, with the right voice and tone.
- Second, the messages should be coming from the appropriate executives, managers and supervisors who are recognizable by staff. Follow-up questions and interactions should be encouraged.
- Third, use a variety of material formats and vehicles (or channels) to get your key messages across. Examples include emails, posters, newsletters, team meeting announcements, online portals activities group during awareness weeks or months, screen savers and other common methods that are familiar to staff. Try and use whatever channels are most effective in your specific situation, and whenever possible, reuse existing mechanisms. Nevertheless, remember that different people respond best to different channels.
2. Make Security Awareness Training Fun, Engaging & HelpfulEven if your messages are clear and delivered via a variety of channels in a consistent manner, attention won’t last nor behaviors change if the security awareness content is boring. Best practices to keep attention include using gamified content that is fun and “sticky” (memorable). Competitions can also motivate employees, since many staff want to “win” or do better than other company business areas or government rivals.
Staff also want you to teach them things they don’t already know regarding technology and security, rather than constantly repeating the same materials over and over, year after year. Some tips include making the material helpful for work at home with families in addition to professional activities Recent work from home (WFH) office moves during the pandemic in 2020 make home network security and practices a business priority.
Finally, talk with staff about topics that they are interested-in. Target training to meet organizational policies and processes, but also ensure that training is useful in people’s personal lives, and answers questions about new and emerging areas of technology, including the specific cyberthreats faced.
3. Brief, Frequent, Focused TrainingYour training needs to be brief and consistently focused on a single topic which is offered in regular intervals. Year-round training is important, so that staff don’t view security awareness as just a “check-the-box” or “one-and-done” yearly activity for compliance only.
A common mistake is to try and pack too much into each lesson. However, if too many topics are covered, trainees become overwhelmed and discouraged. This can lead to a desire to just get the training over with – generally without a full understanding of the material or behavior change. And even if they go through it all, they’ll likely forget much of it. Bottom line, train well with professional materials on a specific focus area in short bites.
One final thought – measure your results. Ask staff, “Are you learning anything new? Is the content compelling?” Over time, observe whether behaviors are changing.
As you put into practice the above recommendations, you’ll see the participation in your security awareness program increase. You know you are hitting the mark when staff consistently say “thank you” and provide positive (written and verbal) feedback on the security awareness training they are receiving. Use these metrics to report results to management and continuously improve.