Whether you are a leading global company or a small start-up, the data you hold and process is valuable to cyber criminals. This should be reason enough to invest in Information Security (InfoSec) but many wait until it’s too late, only addressing the issue after there has been a data breach. If you would rather ‘shut the stable door before the horse has bolted’ read on for our tips on how to implement an InfoSec training and awareness programme to improve your employees’ security behaviour and reduce risk.
1. Assess & planBefore diving headlong into a training programme, conduct an assessment to determine your company’s current position. Not only does this provide a comprehensive picture of your vulnerable areas, but it also provides a benchmark to later measure against.
Once your current position is known, it’s time to determine where you should be, and plan how to get there.
2. Educate
The current complex cyber security threat landscape renders traditional one-off ‘coffee and doughnut’ style training methods ineffective, which is why creating a culture of consistent awareness is so important. You need an InfoSec training and awareness programme which delivers ongoing and dynamic reminders, ensuring you keep pace with the evolving environment. Introduce the following and you can achieve this;
Online Security Awareness Training is a great way to deliver engaging InfoSec content straight to your employee's inbox. It’s dynamic, allowing you to introduce new concepts and respond to current threats with speed. You should choose computer-based training (CBT) modules best suited to your level of InfoSec maturity, that fit with the tone and culture of your company (selecting the level of interactivity and gamification). CBT also means your employees have the convenience of completing the training ‘on-demand', at a time which suits them.
Simulated Phishing is an effective technique which provides your employees with safe ‘hands-on’ experience of real-life threats and teaches them how to deal with them. What’s more, those employees who fall for a simulated phish receive timely and relevant training to understand what they ‘slipped up’ on, and what they should do in the future to avoid these traps. It also acts as a great aide-memoir, keeping your employees alert to genuine phish!
Finally, don’t forget that differing job roles mean that employees have varying requirements. Seek to provide Specialist Training for high-risk data handlers, such as PCI-DSS and GDPR compliance.
3. Reinforce
Positive employee behaviour change is more likely to be achieved when training and awareness go hand-in-hand. The following tips will ensure your InfoSec awareness campaign hits the mark;
Effective measurement will provide you with an understanding of the training success rate and show any gaps or weaknesses in employee knowledge. Taking a holistic view of how the InfoSec training and awareness programme is progressing will enable you to evolve the plan, focus efforts in the high-risk areas and deliver continuous improvement.
By providing your stakeholders with regular updates, you will ensure that company leaders and decision-makers can see risk areas and developments, in order to keep InfoSec training and awareness firmly on the agenda.
Empower your greatest assets with Savanti
In this blog, part 2, we provide tips on how to create a positive security culture within your business via training and awareness. Read our previous blog, part 1, ‘Training your staff in Cyber Security is crucial - Here’s why…’ for an overview of the importance of training your employees.
Savanti can help change your employees’ security behaviour and reduce your risk now. We would be very happy to support you on this journey, so please get in touch – info@savanti.co.uk or visit the chat function on our website: www.savanti.co.uk