How to Buy a Security Awareness Training Program
- January 11, 2019
- 238 views
Are you in search of a security awareness training program to help educate your employees on cyber security best practices? There are lots of options and you may even be deciding on developing one yourself vs. choosing a vendor. Most organizations face a tough realization to move beyond trying to develop an entire security awareness program by themselves. This is because most organizations don’t have the expertise, design resources, educational knowledge, software, and/or infrastructure to develop an effective security awareness program on their own. Reaching for advice from experts in the security awareness industry is now a trend moving in the right direction.
"Running a security awareness program is very similar to running a marketing campaign. But instead of selling a product or service, you are promoting the brand of security."
There is a reason your accounting department uses accounting software, your sales team uses a CRM, and your marketing team uses marketing automation tools. All of these tools help make those teams more efficient and focus on a specific task to help them successfully manage their work. Security awareness training is no different, so you should look for a partner to help you be successful in this area.
What you have to realize is that you are buying a security awareness training program for your employees, so don’t buy it just for yourself. I will repeat that. You are buying a security awareness program for your employees, because if they don’t like it, what’s the point? After you have reached the moment that you want to make a difference in your security culture by partnering with a security awareness vendor, how do you decide which vendor to choose? This is your complete guide on how to buy a security awareness training program for your employees. Enjoy!
This first step in buying a security awareness training program is getting your management’s approval. Essentially, you need management to believe and understand that a strong security awareness program is a necessity in today’s modern and evolving business. No matter how big or small your organization is, if you don’t have a way to communicate cyber security best practices on an ongoing basis with your employees, you are at high risk of falling victim to an attack. How high? Over 90% of security breaches are caused by human error from your own employees. Let that sink in. Your goal is to convince your management that the investment in a security awareness training program will protect your business from cyber threats and allow employees to use critical thinking in their daily job roles when it comes to security decisions.
If your first piece of criteria is to get the lowest price possible for security awareness training, you will end up with a program that your employees hate. Imagine buying a house and your agenda was to look for the cheapest possible house with no regard to the quality of the house itself. You’ll end up with buyer’s remorse and are now stuck with a house which you have paid for and forced to live in that is falling apart. You will have a tremendous amount of work ahead of you to maintain, manage, and invest into that house that is falling apart. Security awareness training programs are an investment for your company and for your employees so don’t treat the process as a commodity.
Most security awareness programs are priced per employee into plans for the entire year. So, when budgeting you should be somewhere in the ballpark starting at $20 per employee for access to the program all year long. Depending on all the bells and whistles you will see this number fluctuate, and most likely get a volume discount with the more employees you have in your organization. Budgeting might come from your IT department, HR department, Training budget, etc. You may even share budget dollars across departments since this program touches on protecting the entire organization.
Content and Delivery
Once you have a budget and management approval, your search will lead you to content. Content quality is the most important factor when choosing a security awareness training program. Content will impact the success or failure of developing a security culture. There are many different styles of how content is created, but you will want to focus on production value first and foremost. What that means is, did the content that you are planning to deliver look professionally developed, catch and keep your attention, and portray the right message to your employees? Are you planning on giving employees content with minimal thought, quickly made in PowerPoint or are you giving them a learning experience they won’t forget? How do you think your employees will feel about the content?
Your content should cover a variety of security awareness training topics that every employee needs to understand. Your focus shouldn’t be on dictating highly specific technical information to employees, but instead giving them the insight to become more secure at work and at home.
Simplicity is the key. Employees are not security experts. Most of them aren’t lawyers or very technical. They will not sit and watch a 40-minute video of someone blabbing about technical security topics. They will not pay attention to an hour-long Death by PowerPoint presentation written by the legal team. You will need to choose a partner that can articulate difficult and technical concepts into a message that is simple, relatable, and easy to understand.
Message consistency is key to success to ensure that employees are receiving similar messaging about what they should be doing when it comes to security. An example of this would be similar to a Ferrari salesman selling Sketchers shoes. The inconsistency of messaging just doesn’t make sense, so why put your employees through a random, confusing, and inconsistent content experience?
Delivering content is key once you have the right stuff. What good does a great security awareness campaign do if you can’t deliver it to all of your employees. You will want to choose a security awareness partner that focuses on delivering content throughout the year instead of only providing a once a year type training for employees. This is important to keep employees constantly engaged with short, relatable messaging that keeps security top of mind. If you try and force feed a tremendous amount of content, the messaging will be quickly forgotten by the employees. Bite size content that is dripped throughout the year has been proven most effective delivery method inside organizations with powerful security awareness programs.
Lastly, when dealing with content, you will want to have access to other tools that will help promote your brand of security. You should have access to a series of digital and physical content that can be produced to help promote security awareness amongst your employees. All of this content should follow a consistent themed message for your employees. Security awareness posters, digital signage, downloads, reminders, stickers, webinars, and any other activities should all be part of your plan for a successful content delivery strategy.
Employee Pilot Program
After you have selected some content, run a pilot program with your employees. Remember what I said before, you’re buying a security awareness program for your employees, so you will be doing yourself a disservice by not including them in the buying process. Simply get a group of around 5-10 employees from different departments and have them sample the new security awareness training content. Ask them what they like, what they didn’t like, and how it compares to their current employee cyber education program. Continue to focus on the fact that you are buying this security awareness program for your employees, not yourself. If they don’t love the program, you will not see an effective shift in your security culture. You will continue to see your employees viewing security as a roadblock and end up with a toxic security culture.
Based on the results of your pilot program, take the feedback seriously. Listen to what grabbed your employee’s attention. What didn’t. What they would like more help in learning about. All of this feedback is great to establish upfront, so you know where to start focusing your attention.
Phishing Simulation Tests
Your security awareness training program should include access to an integrated phishing simulator that will allow you to send phishing tests throughout the year to your employees. Phishing and social engineering continues to be one of the biggest risks that targets organizations of all sizes. Practicing mock real-world simulated phishing attacks is a great way to understand where your employees are at risk for falling for these types of attacks.
You will want a partner software that is simple to manage and gives you clear results to the data behind your simulated phishing tests. These results should be able to be exported out to a report and used to discuss internally with your team. This will allow you to take actionable insights on how your phishing training program is progressing.
One aspect of phishing simulations you will encounter is employee emotional intelligence. That focuses on how you make your employees feel after they fall for a phishing simulation test. Most vendors will ignore this step, and your employees will feel distrust, anger, and confusion on why this is happening to them. So, you will want to ensure you choose a security awareness partner that focuses on the employee experience before and after your phishing tests. This will allow you to focus on training employees that are weaker in their phishing defense skills and implementing positive messaging across your educational campaigns. You want all of your employees to be on the same team when defending against phishing. Don’t overthink the technical aspects of phishing tests. Focus on getting everyone in your organization to learn about what to look for, how to look for it, and where to report attacks. You should be able to ask your vendor to receive clear guidance on how to launch and maintain successful phishing training program.
What do you do with all the data you are collecting? Your training program will be collecting a lot of data about your employees. Employees will receive different scores, training completion records, durations, downloads, attendance, and other interactions throughout the year in your program. You will need a simple dashboard to visualize how your program is doing at a glance and insights on where your company needs work. You will also need to provide auditors and other compliance data right out of the platform to showcase the results of your program. You will want to simply view and download a report to showcase your security awareness program at a glance.
Strategy and Plan
Ask about the onboarding plan and how quickly it will take to get your security awareness program up and running. Typically, you would want to choose a partner that makes your life simple and the lives of your employees simple. Quick and easy access to content should be your goal for the employee experience. Creating a launch strategy and plan is the key to a successful implementation of a security awareness training program. Ensure that all of your employees are fully aware of why security is a priority for your organization. This is the point where you would announce that your organization has invested in a program to help employees learn how to protect themselves from cyber threats. Again, messaging is very important to focus on why you are here to help your employees learn more about cyber security threats and defending against those threats. If you announce that you are enforcing mandatory training and treat it as a compliance focused activity, you will not get the same response and participation from your employees that you are expecting.
Every vendor should provide support to make sure your security awareness program is a success. What we mean here is not just support for features or trouble tickets, but guidance and advisory as you progress in your program. You have selected a security awareness partner for a reason. Your team requires guidance on how to deliver and manage a powerful security awareness program based on best practices. Your vendor will have the responsibility and insights of overseeing many different programs across a variety of industries. Lean on them to help you in any way possible to make sure your employees are getting the most out of your security awareness training investment.
We hope our guide helps you in your buying journey for the perfect security awareness training program. Your fellow employees and organization will thank you for all of the effort you have put in to research and implement a successful program for them.
This post originally appeared on the Curricula security awareness blog here.