Thought Leadership

Considerations for effective employee security awareness training

Written by Jo Goodenough | Feb 21, 2021 4:00:02 PM

With an abundance of cyber security advice readily available, many organisations find it hard to know where to begin. Additionally, communicating to employees on why cyber security is something that they should care about can be hard to explain.  

Smaller businesses and charities may not have the time or budget to implement specific cyber security learning and development plans. Without some basic training in place, can leave employees completely exposed to cyber-attacks.

Larger organisations, even those lucky enough to have dedicated training resources, may still find it difficult to explain the technical aspects of cyber security to their staff in ways that are relevant and easy to understand.

The three main cyber security awareness functions that should be considered are:

1. Cyber security training

Tailored security awareness training is fundamentally important when on-boarding new employees. Additionally, it is essential to run regular refresher training for existing employees at least once a year.

With new starters, it is probably safe to assume there is very little, if any, cyber security knowledge. The best approach would be to start at the beginning and introduce the importance of cyber security, how attacks happen and the role that they play in protecting the company, its people and customers. Four key areas to cover include:

  • Securing devices;
  • Using strong passwords;
  • Defending against phishing; and
  • Reporting incidents.

Face-to-face training time, particularly during the current pandemic is difficult to achieve. Organisations should ensure employees can access training materials remotely. There are a variety of online computer-based training (CBT) platforms that can deliver relevant, up to date and engaging content. Savanti partner with a range of market-leading companies such as Hoxhunt, BoxPhish, Cofense, KnowBe4 and Proofpoint.

Find out how best to run employee security awareness training by studying specific teams within the organisation, learning more about the level of security risk associated with the overall business and specific job roles and tasks. This will provide a better understanding of what training is required and the approach to be taken. Annual training might be best or perhaps delivering more regular, smaller bite-sized training modules throughout the year would be more effective. Additional targeted training may be required for specific high-risk roles, individuals and teams.

Savanti can provide this specialist training for areas such as finance, c-suite, and high-risk data handlers.  

Specific sessions with the leadership team can help drive the right behaviours and security culture and enable them to disseminate security messaging to the rest of the employees.

2. Communications and awareness

A comprehensive cyber security awareness programme should provide a holistic approach and focus on employee awareness through continuous and layered communication of security information which supports and reinforces any formal training.  

Effective security communications underpins the overall development of a security culture and a holistic security communications plan should to be tailored to the organisation and be appropriate to company size, risk profile, number of employees, culture and the budget available.

3. Simulated phishing

Simulated phishing is an essential component of an overall cyber awareness training programme.

Simulated phishing provides employees with a safe ‘hands-on’ experience of real-life security threats and the knowledge of how to deal with them. It rapidly improves their ability to understand, recognise and report security threats. Additionally, it enables the organisation to monitor and measure ongoing improvement and effectiveness of security training. For example, if high numbers of staff are falling for simulated phishing, adjustment of the training plan and approach is required. It can also help identify where additional targeted support is needed within the organisation.

A comprehensive online security awareness training programme should draw all of the above elements together to provide employees with a heightened understanding of cyber security threats and empower them with the knowledge of how to avoid them, reducing the organisations exposure to cyber security risk.

Look out for Savanti's next blog which covers: 'Your cyber security awareness training problems solved!'

For more information about employee security awareness training, please provide your details below: