With human error now being a top concern amongst businesses, security awareness training is starting to evolve. But what key steps can you take when getting your program off the ground?
So you might be looking to implement an effective cyber security awareness program for your users, or maybe you're just looking to improve your efforts to date. Either way, there are some vital steps that you need to take in order to make sure your hard work doesn't fail at the first hurdle.
These seven steps will give you some of the fundamentals of creating and executing a successful security awareness program.
Gain support from the C-suite
We know… we’re not exactly starting you off with an easy one here. But gaining support from the senior team will give you plenty of future ROI as you venture towards creating your program - ultimately, increasing the level of freedom, company-wide support, and budget for your project.
It may sound like a difficult task, but there are certainly ways around these obstacles. For instance, clearly highlight the repercussions of not supporting a security awareness training program - and there’s plenty of those to choose from. After all, demonstrating your business’s efforts in security awareness is a must for compliance, not to mention a vital step for avoiding the financial and reputational disasters that arise in the wake of a breach!
Long story short - make life easier for yourself by educating your board before you educate your users.
Cover relevant topics
Cyber security breaches are making headlines now more than ever. After huge-scale attacks like WannaCry and Petya on organisations and institutes such as the NHS, people who have never previously batted an eyelid are now taking notice. Although negative, the high profile attacks can now be used to your advantage.
Making regular use of these attacks to demonstrate the relevance of your efforts can help motivate users to follow the advice of the program. As smaller breaches rarely tend to make the news, it’s likely you’ll have to use examples of some of the big fish in the news. But there’s plenty of reports and figures of cyber attacks on SMEs to draw on (if you haven't already, sign up to our free weekly roundup of cybersecurity news, breaches and latest industry reports to keep yourself and your users up-to-date).
Get involved with other departments
“Cyber security? That’s a problem for the IT department”... For IT security professionals, this statement is enough to make your stomach turn. Not only is cyber security not just a problem for the IT department, it’s undoubtedly the responsibility of all departments in your organisation.
From finance and accounting, to HR and marketing, gaining support is another key step to ensuring your awareness program doesn't fall flat on its face. As covered in step one, already having the support of the C-suite can significantly boost this effort.
Some departments can even make security awareness efforts mandatory. For example, the legal and compliance departments carry a great deal of influence throughout the organisation and can make security awareness a required component of other processes, such as new hire indoctrination.
Avoid being the department of “no”
There’s always going to be certain things that employees just aren’t allowed to do. But too often, security departments seem to focus too much on telling people what they shouldn’t do - rather than informing them how they can safely do things.
A good example is when employees use social media in the workplace. Trying to stop people accessing social media throughout their day is near impossible, especially amongst the millennial workforce. Instead, teaching them to use social media safely is far more effective.