Whether you're a leading global company or a small start-up, the data you hold and process is valuable to cyber criminals. This should be reason enough to invest in Information Security (InfoSec) but many wait until it’s too late, only addressing the issue after there's been a data breach. If you'd rather ‘shut the stable door before the horse has bolted’ read on for our tips on how to implement an InfoSec education and awareness programme to improve your employees’ security behaviour and reduce risk.
1. Assess & plan
Before diving headlong into an education programme, conduct an assessment to determine your company’s current position. Not only does this provide a comprehensive picture of your vulnerable areas, but it also provides a benchmark to later measure against.
Once your current position is known, it’s time to determine where you should be, and plan how to get there.
The current complex cyber security threat landscape renders traditional one-off ‘coffee and doughnut’ style training methods ineffective, which is why creating a culture of consistent awareness is so important. You need an InfoSec education and awareness programme which delivers ongoing and dynamic reminders, ensuring you keep pace with the evolving environment. Introduce the following and you can achieve this;
Online Security Awareness Training is a great way to deliver engaging InfoSec content straight to your employee's inbox. It’s dynamic, allowing you to introduce new concepts and respond to current threats with speed. You should choose computer-based training (CBT) modules best suited to your level of InfoSec maturity, that fit with the tone and culture of your company (selecting the level of interactivity and gamification). CBT also means your employees have the convenience of completing the training ‘on-demand', at a time which suits them.
Simulated Phishing is an effective technique which provides your employees with safe ‘hands-on’ experience of real-life threats and teaches them how to deal with them. What’s more, those employees who fall for a simulated phish receive timely and relevant training to understand what they ‘slipped up’ on, and what they should do in the future to avoid these traps. It also acts as a great aide-memoir, keeping your employees alert to genuine phish!
Finally, don’t forget that differing job roles mean that employees have varying requirements. Seek to provide Specialist Training for high-risk data handlers, such as PCI-DSS and GDPR compliance.
Positive employee behaviour change is more likely to be achieved when education and awareness go hand-in-hand. The following tips will ensure your InfoSec awareness campaign hits the mark;
- Keep it relevant. From the outset, use clear communications to ensure your employees know what's happening, why it's happening, and more importantly how they play a vital part.
- Mix-it-up! Whilst the ‘cyber best practice’ messages remain the same, be creative with how you communicate to your employees. Use all available channels; intranet, e-newsletters, posters, desk drops, etc.
- Take a ‘little & often’ approach to reduce the strain on your employees’ time. It means you can dodge those ‘I’m too busy for training’ ruses too!
- Provide regular reminders of security hints and tips to embed key messages. Keeping InfoSec at the forefront will ensure the newly acquired knowledge and skills are not forgotten.
Effective measurement will provide you with an understanding of the training success rate and show any gaps or weaknesses in employee knowledge. Taking a holistic view of how the InfoSec education and awareness programme is progressing will enable you to evolve the plan, focus efforts in the high-risk areas and deliver continuous improvement.
By providing your stakeholders with regular updates, you will ensure that company leaders and decision-makers can see risk areas and developments, in order to keep InfoSec education and awareness firmly on the agenda.
Empower your greatest assets with Savanti
In this blog, we provide tips on how to create a positive security culture within your business via education and awareness. Read our previous blog, ‘Cyber Training & Awareness - What's your weakest link?' for an overview of the importance of educating your employees.
Savanti can help change your employees’ security behaviour and reduce your risk now. We would be very happy to support you on this journey, so please get in touch – email@example.com or visit the chat function on our website: www.savanti.co.uk