By Theo Zafirakos, CISO, Terranova Security
The universal participation of an organization’s employees in security awareness training programs is fundamental to improving its long-term security. Building a security-aware culture is the first step to cultivating the participation for security awareness training programs. The challenge for many companies is that if the training materials are not easily digestible, engaging, and entertaining, then participation tends to be low.
In security awareness training, anything below 90% participation is considered to increase risk for the organization. This means, knowing how to target employees, including senior leaderships, and executives, is crucial to teaching them the skills and information they need to protect the organization.
Identifying Your Target Audience
Relevancy is key to having engaging security awareness content. There’s no shortcut to producing relevant training materials; the only way is to take time to identify your target audience and the cyber threats they’re exposed to daily. Most organizations’ target audiences can be broken down into several key groups:
- Executives – Executives and Leadership team need to be aware of security risks to understand the importance of supporting and funding security awareness initiatives.
- Managers – Managers’ security awareness is critical to ensure they take responsibility for acting as ambassadors and security role models.
- Individual Contributors– Contributors are your first line of defense against cyber-attacks, so it’s paramount that they adopt best practices and behaviors needed to stay safe online.
- IT Security Team – Your ITS team will help guide your information security best practices and manage the network, systems, and application vulnerabilities in your environment.
Recommended Topics Per Audience
Training topics depend on the security risks specific to an organization’s environment. There are, however, a few go-to topics that apply to all organizations:
Consider covering topics like priority risks facing your organization, secure use of mobile technology, safe handling of sensitive information, common attacks and scams targeting executives, and security and awareness compliance obligations.
All executive topics plus an overview of information security and governance, your IT security environment, proposed security awareness program, and IT security controls.
Aim to increase knowledge of security threats with topics such as information security and privacy, security essentials (like password creation, email use, malware), internet usage essentials (social media, safe browsing, cloud computing), typical phishing and social engineering techniques, cyber-attacks, and data handling.
- IT Staff
Raising awareness of security best practices related to the networks, systems, and application vulnerabilities in your environment, consider network security overview, application security overview, common network and application attacks, system development life cycle, secure coding, cryptography, and key management.
Building Effective Awareness Training Materials for Your Audience
Once targets have been identified, you need a strategy and implement engaging training materials. The first step in the process is to create educational topics relevant to the individual and audience with their day-to-day activities.
For example, if your end-users are sales or account representatives who send lots of emails, incorporating training materials on phishing threats and phishing simulations will provide them with helpful guidance to detect phishing scams.
The most important thing is to focus on building engaging and interactive materials. In practice, that means:
- Create bite-sized microlearningmodules that employees can easily digest
- Use plain language the audience can understand
- Communicate with your audience in their native language
- Incorporate gamificationand interactive exercises like phishing simulations
The importance of Executive Participation
A significant mistake an organization can make when building its security awareness training programs is not to prioritize executive participation. This oversight can have a real negative impact, as not only are executives valuable champions of cyber security investment and cultural change, but they are also end-users who are the target of cyber threats themselves.
C-suite executives are often the target of cyber criminals through credential harvesting campaigns as they hold valuable data nefarious actors are looking for. If they fall victim to these attacks, the damage to an organization can be immense; therefore, it’s essential to ensure that everyone in the organization is involved in the training program.
To See Success, Know Your Audience
There are no shortcuts to creating engaging security awareness training programs and increasing participation. The best way to build the proper program is to tailor the learnings to your audience. Knowing who your audiences are and the threats they face on a day-to-day basis will allow you to provide them with relevant learning opportunities. With this knowledge you can cultivate a security-aware culture within your organizations and build cyber heroes who will know how to protect themselves from cyber threats.
About the Author
Theo Zafirakos is CISO of Terranova Security. He is responsible for all areas of information security for the creation and management of strategy, programs, governance, information risk assessments, and compliance for Terranova Security. Terranova Security is the global leader in Cybersecurity Awareness, with 10M+ Trained Cyber Heroes in 200+ Countries and 40+ Languages. He leads Terranova’s Professional Services team that helps our clients implement and execute information security awareness programs with measurable results. Programs that assist users in recognizing the events that require a specific action know what the appropriate action is and are motivated to take that action. Theo can be reached online at LinkedIn and at the company website http://www.terranovasecurity.com