How to Build a Security Education Training and Awareness Program (+FAQs)

Posted by ideaBOX Team on Oct 19, 2020 8:39:23 AM

Every day, companies face the risk of a cyberbreach. Cybercriminals constantly seek ways to breach cybersecurity measures for their own ends—whether that’s financial gain, to make a political statement, or steal data for some other entity’s benefit.

Minimizing cybersecurity risks is a key goal for any business. The first step in any plan to mitigate potential cyber threats is to know what their biggest security gaps are and to plug them as quickly as possible. While specific security flaws will vary from one organization to the next, there is one element in any cybersecurity plan that is typically cited as the weakest link in the chain.

What’s the weakest link in the vast majority of security policies? Employees with access to critical data and resources are typically the single biggest flaw in any security system. But, why are employees such a major cybersecurity risk? More importantly, what can you do to curtail this risk and make it more manageable?

Why Employees Are the Weakest Link in Your Cybersecurity Plan

No matter how good your security policies, procedures, and tools are, if there’s someone with legitimate access to your network and systems, then a hacker can find a way to access them, too. As noted in a Tech Republic article, “If we look at security breaches over the last five to seven years, it's pretty clear that people, whether it's through accidental or intentional introduction of malware, represent the single most important point of failure in terms of security vulnerabilities.”

CSO Online backs up this assertion with a data point stating that: “Phishing attacks account for more than 80% of reported security incidents.” Phishing is a type of cyberattack that specifically targets the people in an organization to trick them into taking some type of action—such as surrendering account credentials, sensitive information, or downloading and installing malware that can go on to infect the network.

Employees who aren’t aware of cybersecurity risks are prone to falling for phishing attacks. A cybersecure employee—one who has a strong level of security awareness and is motivated to be wary of cyber threats—is much less likely to fall victim to phishing scams and other forms of cyberattack.

However, even with strong cybersecurity awareness and a corporate culture that promotes cybersecure behaviors, there is always a risk of people falling for a cybercriminal’s schemes. This is why you still need other cybersecurity protections, even if you have a strong cybersecurity awareness program in your organization.

Training to Promote Cybersecurity Awareness

One of the first steps in promoting cybersecurity awareness is to create a Security Education Training and Awareness (SETA) program. A SETA course helps to instill basic cybersecurity knowledge in an organization’s employees—and should be mandatory for both existing employees and future new hires.

Another way to promote security awareness is to share stories about employees who successfully thwart attacks by following cybersecure practices. For example, if Bob from accounting gets a “phishy” email, reports it up the chain, and it’s discovered to actually be a phishing attempt, he should be called out and congratulated at the next team meeting. Even something as small as a postcard or placard for “Excellence in Maintaining Cybersecurity Best Practices” could be a great way to motivate people to think before they click.

Also, be sure to publish your company’s cybersecurity policies and make sure that employees actually read the thing. When creating this policy for employees, consider including a “cheat sheet” that breaks your policies down into small, easy-to-understand tips or “do’s and don’ts” that everyone can understand. Avoiding technobabble and using simple terms when possible helps ease comprehension as well (not everybody in the company is going to be an IT expert, after all).

How to Build a Security Education Training and Awareness Program

How can you build a SETA program that will work to promote awareness and keep your employees from becoming the weak link that hackers exploit? Here are a few tips for building out a security education training and awareness program in your own organization:

1. Start by Assessing Your Organization’s Current Cybersecurity Awareness Level.

Before you can make a SETA program to cover your team’s biggest knowledge gaps, you need to know what those gaps are. Conducting an assessment of your company’s overall cybersecurity awareness level can help you identify specific opportunities for improvement. Additionally, by establishing what your employees already know, you can skip boring, remedial lessons that would cause disengagement with your training program.

Security breaches have increased by 11% since 2018 and 67% since 2014. (Accenture)

15% of companies found 1,000,000+ files open to every employee. (Varonis)

So, how can you conduct an assessment of your organization's current cybersecurity awareness level? There are a few tools you can use to achieve this:

Surveys of Employee Cybersecurity Knowledge.

You can assess employee awareness of cybersecurity issues by sending out surveys for them to fill. Their responses to basic questions about common cybersecurity topics like "what is phishing?" or "how long should a password be?" can provide a valuable insight into how knowledgeable they are about security issues.

Fake Phishing Emails.

Sending false phishing emails to employees and seeing how they respond is another effective tactic for assessing your audience's overall cybersecurity awareness. If a large percentage of the fake phishing emails get through, then you know that your organization really needs to focus on how to spot and handle phishing attacks.

Of course, these phony phish need to be carefully written to avoid having employees actually share potentially sensitive and private information.

Cybersecurity Incident Drills.

Test your employees' ability to respond to cybersecurity incidents by conducting random drills that simulate different types of incidents. Then, record how employees respond to the simulated attack.

Do they follow good cybersecurity practices that limit your company's risks and help ensure rapid resolution for the security incident? Or, do they ignore the attack alert and fail to pass information along to others (like your IT team or their immediate supervisor)? 

Running a cybersecurity drill can help train your employees to make the right responses to the real thing while telling you exactly how much training they need.

2. Establish Your Training Program Budget.

How much can you afford to spend on your SETA program? Your program’s budget will have an influence on the amount of training you can provide for each employee, what types of training resources you can provide, and overall program success. Some things to budget for include:

  • Trainer/consultant time and labor.
  • Access to training platforms/software/resources.
  • Reduced employee productivity for time spent on training.

The cost of cybersecurity training can be highly variable depending on the nature of the training. For example, some sources cite a baseline cost of $5,000 for one person to take a cybersecurity training course while others place the cost of such programs at over $12,500. Meanwhile, some basic cybersecurity courses may be available for free online.

It can help to look at what other companies of a similar size in your industry have spent on cybersecurity training so you can have a realistic expectation of your own program's final cost.

However, you should try to avoid getting caught up in a game of "Keeping up with the Joneses" when it comes to training your employees. You don't need to spend lavishly to produce a positive result with your SETA program.

3. Set Aside Time for Employees to Train.

Employees need to be able to dedicate themselves to their cybersecurity training fully. If left to a “do it in your free time” type of schedule, employees may neglect to do the training. After all, it’s not part of their core job function—and if you aren’t giving them time to do it, the training must not be that important.

Setting aside time for employees to attend training sessions is a must for highlighting the importance of cybersecurity training and ensuring every employee completes the program.

How much time should you reserve for cybersecurity training? The answer depends on the training program you provide. The more extensive the training program is, the more time employees will need to complete it. Cybersecurity trainers may be able to provide a reliable estimate of the average amount of time people need to complete their training programs.

4. Choose a SETA Program Delivery Method.

How will you distribute training program materials to your employees? There are many ways to deliver training materials, such as in-person seminars, online webinars, digital eBooks, interactive online tools, and more. Your choice of training method may depend largely on your total company size, training budget, and time constraints.

For example, if you have a small team and lots of resources, in-person seminars with cybersecurity experts may be ideal. For larger teams that are distributed across many offices, online webinars, eBooks, and interactive tests may be better.

5. Make a Plan for Verifying SETA Program Results.

The easiest way to verify that your SETA program is effective is to create tests that measure employee knowledge (and how they apply that knowledge to everyday situations). The basic strategy for verifying SETA program effectiveness is largely the same as assessing your company's pre-training cybersecurity awareness, involving the use of:

  • Cybersecurity awareness surveys;
  • Simulated phishing attack emails; and
  • Cybersecurity incident drills.

Simulated phishing attacks and security incident drills, in particular, can help you assess how well employees are adapting content from training and applying lessons to their daily work. Meanwhile, awareness surveys can show you where there may be persistent gaps in your employees' security knowledge.

6. Have Your Organization's Managers Lead by Example.

In any organization, employees take their behavior cues from their leaders—so manager behaviors can have a major impact on whether employees adopt new security policies or not. Management can also have a direct impact on how engaged employees are (and thus, influence employee turnover).

As noted by the Society for Human Resource Management (SHRM), "managers play a key role in employee engagement, creating a respectful and trusting relationship with their direct reports, communicating company values and setting expectations for the day-to-day business of any organization." When managers don't model the right cybersecurity behaviors, they're less likely to take the need to follow those rules seriously!

Create processes for verifying that employees, and especially managers, are following cybersecurity best practices to encourage everyone to follow the rules.

Additionally, it can help to reward employees who manage to spot major security issues or consistently follow cybersecurity best practices. For example, if Bob from accounting spots a phishing email and calls it out for the security team to fix, then giving him a shout-out in the next company-wide email congratulating him (and showing how he recognized the phishing attempt) can help increase awareness and make employees more likely to follow best practices for cybersecurity.

7. Don’t Forget to Consider Future Hires and Knowledge Decay.

Over time, your organization will cycle in new people. Also, because cyber threats are constantly evolving, some security knowledge may become obsolete after a while. Finally, if lessons aren’t reinforced, people may simply forget what they’ve learned. So, it’s important to take into account the need to train new employees and periodically provide updated training to existing employees.

Put into place a cybersecurity training course for new hires that brings them up to speed with what you expect them to know before they start handling sensitive information. Making this a part of the onboarding process, such as by having new hires take an online training course or putting them through a cybersecurity expectations briefing when they're hired.

FAQs about Security Education, Training, and Awareness Programs

Why Should I Have a SETA Program?

SETA programs help to foster awareness of critical cybersecurity issues amongst an organization's employees. This can increase the likelihood of employees following key security protocols and help them recognize an attack in progress.

How Much Does a SETA Program Cost?

SETA program costs will vary from one organization to the next. This is because of variables such as:

  • The total number of employees being trained;
  • The cost of specific training materials and/or lecturers;
  • The distribution method used to deliver training materials; and 
  • The number of training locations.

On an individual level, it is fairly common for a cybersecurity training program to cost somewhere between $5k and $12k. However, larger organizations can often lower their cost for training per employee by conducting training in bulk (so that they aren't paying for 1:1 training for each employee).

How Effective Is a SETA Program, Really?

The efficacy of employee training of any kind can vary. It is common for employees to quickly forget the content of their training courses shortly after completing the course.

According to statistics cited by Learning Solutions, "within one hour, people will have forgotten an average of 50 percent of the information you presented. Within 24 hours, they have forgotten an average of 70 percent of new information." This is sometimes called "knowledge decay" or the "forgetting curve."

Despite this fact, cybersecurity training is important—and not just because it's critical for complying with certain cybersecurity expectations! Also, it is possible to overcome the problem of employees forgetting training.

How Can I Improve Knowledge Retention for My SETA Program?

A lot of people quickly forget information that they:

  1. Don't use;
  2. Don't think is important; and
  3. Don't find interesting.

So, to counter the knowledge decay that comes after any corporate training, it can help to:

  • Put Training to Use. Have employees engage in exercises, tests, and drills after the SETA program is done that puts the knowledge they acquired to the test. Through repeated use, employees can improve retention. This also helps make the training more important to employees since they're getting tested on their knowledge.
  • Highlight Why the Training Is Important. Tell employees about the potential consequences of not following information safety best practices—not just for them, but for the organization and their coworkers. Highlight how cybersecurity is a shared responsibility and the part each person plays in keeping everyone safe.
  • Make Training More Engaging. Which is more engaging: a lecture where some random person recites basic information for an hour straight, or a hands-on exercise where employees get to do things and see the possible results of their actions? Odds are, it's the second option. Making training more engaging and hands-on whenever possible can help to improve information retention—so things like interactive labs where people can try to spot the fake phishing email in a list of ten random emails or correctly identify a malicious link on a fake webpage may produce better results than a recorded video lecture.

Conclusion: Do You Need Help Setting up a SETA Program?

A SETA program can be an incredibly useful tool for increasing cybersecurity awareness in your organization. However, to get the maximum effect, you need to do it the right way.

Do you need help building a robust training program that will make your people cybersecure? Reach out to the experts at ideaBOX today to get started! Our team has helped companies in multiple industries create and maintain cybersecurity training programs for people of all IT skill levels.


Topics: security awareness