6 Best Practices for Effective Security Awareness Training

6 Best Practices for Effective Security Awareness Training

The human element is a big one when it comes to cybersecurity. You can have the best firewall, threat detection system, and mobile management software, but an employee sharing their password through an unsecured email can lead to a major breach.

This is why employee security awareness training is a vital piece of your organization’s network security, along with hardware and software protections. 

Training employees well on cybersecurity can result in a reduction of cyberattack risk by as much as 70%. But doing it poorly can mean that you have big holes in your IT security, no matter what else you do.

As many as 95% of IT security breaches have a human error element involved.

Following are some best practices for IT security awareness training to ensure your team is well trained and can build the skills needed for a culture of cybersecurity. 

Don’t Approach It From a Negative or Blaming View

While human error is responsible for a lot of cyberattacks, you don’t want to lead with that when training your team. If you approach cybersecurity awareness training from a “blame game” perspective, then people will have a negative experience with it.

People that are afraid of getting fired, may not report that they accidentally clicked on a phishing link. They might also not want to report that a colleague shared their password, because they don’t want to get them in trouble.

Take the fear out of the equation, and approach cybersecurity as a team effort to keep everyone safer.

Provide Training Every 4-5 Months

Often, companies aren’t training their employees enough. One-per-year training won’t provide the foundation of knowledge that organizations are hoping for to reduce cyberattack risk.

A study performed by the Advanced Computing Systems Association found that training every four to five months was best for retention of the information.

During the study, employees were trained on phishing identification tactics. They were tested at increments of 4, 6, 8, 10, and 12 months. At four months, they tested well and had remembered much of what they learned. 

But at the 6-month test, they began forgetting and performed worse on phishing tests. The downward trend continued, with scores getting worse the longer it had been since they were first trained. 

Use Different Cybersecurity Message Delivery Channels

Not everyone learns in the same way. Some people do better with self-paced learning, while others gain more when sitting in on a security webinar with real-world experiences shared.

Training is more effective when you mix the message delivery channels up. This also helps you keep training fresh and provide it more often without it seeming overwhelming. For example, every training doesn’t have to involve a 2-hour meeting. Some training can take just 3-4 minutes of watching a cybersecurity video.

Here are some of the different training types you can incorporate:

  • In-person or virtual training from an IT professional
  • Short, one-subject videos delivered monthly
  • Ongoing cybersecurity “tip of the week”
  • Phishing simulations
  • Round-table discussions in each department 
  • Problem/Solution format where employees bring cybersecurity issues and the team works on a solution together
  • Cybersecurity posters

Incorporate Short Videos

Short on-demand videos are an entertaining way to deliver cybersecurity training that can lead to better retention. When viewers watch a video, they retain about 95% of the information, as compared to only 10% when they receive information via text only.

Many services provide animated cybersecurity training videos that companies can use for this purpose. You can also find free resources for these online.

Infusing video into your security awareness training is a great way to “fill the gaps” between more formal training sessions so employees aren’t forgetting the basics they’ve been taught.

Leverage Free Online Training Resources

If you’re worried about the cost or time involved in providing cybersecurity training material, videos, and posters, there is free help out there.

Several sites offer free cybersecurity training resources that you can leverage for your team. These will be in a format that is ready to use, so you won’t have to do much, other than download and deliver them.

Here are a few websites where you can find presentations, courses, posters, and videos on cybersecurity awareness:

  • Canadian Internet Registration Authority (CIRA)
  • Cybersecurity Awareness Month (CSAM)
  • Federal Trade Commisstion (FTC) (Videos)
  • UC Santa Cruz (Posters)

Invite Employee Interaction in Roundtables

A good way to get your employees more engaged in cybersecurity is to get their input on it. People can only learn so much when someone else is doing all the talking. Invite them to small group roundtables for departments or teams within your organization.

Ask everyone’s input on cybersecurity as it relates to their day-to-day and what their department does. You’ll likely get some helpful and insightful information on how to better secure your organization’s network and information because of the diversity of points of view.

Get Help Beefing Up Your Employee Training & Security Program

Haxxess can help your Northern Ontario business put together a cybersecurity awareness training program that is effective and is focused on your company’s mission.

Contact us today to schedule a free consultation! Call 705-222-8324 or reach out online.

stay in touch

Subscribe to our newsletter and we'll keep you informed about latest IT news.