How to make security awareness training work like an utter charm for your business, no matter what your budget
In days gone past, security awareness training was something that SMEs considered a nice but not really necessary add-on to multi-layered security protection for a business’s systems and processes.
There were a multitude of reasons why user training used to fall to the level of ‘least important’ for security policies. A lack of budget, deficient in-house expertise, and no options for low cost yet good quality training all factored into the equation, alongside the usual small and medium-sized business restrictions like lack of time and resources.
Nowadays, however, user training is rising up the ranks of necessity when it comes to small and medium-sized business security as the risks of cyber attacks become clearer. In a 2017 study by the Better Business Bureau, it was found that almost half of small to medium-sized business with under 50 employees saw security awareness training as one of the top three necessary security expenditures, along with firewalls and endpoint protection.
With SMEs losing an average of between £65,000 and £115,000 when hit by a cyber attack (according to commercial insurer RSA) it’s easy to see why companies are upping the budget allocation for user training. Employees are at the front line of your business and even the most advanced protection can be against human error. Not providing education to your team can cost a lot and expose you to unnecessary risk.
But how do you make security awareness training work for your business and how do you get started?
1. Get stakeholders acquainted
Whenever you are introducing a new program or process to a business it’s necessary to make sure everyone fully understand why and is on board. Engaging management and stakeholders will help you build a good base and ensure everyone is on the same page.
Set up meetings or craft an email to the necessary teams explaining how security awareness training can really benefit the business. It’s a good idea to share reports and details on how security awareness training works and get your IT team (internal or external) involved early on.
2. Get your first phishing campaign underway
A great way to start your security awareness training is with a simulated phishing campaign. If you have any people in your organisation that are reluctant or cynical about whether training can benefit business, a phishing campaign can help show value. The first simulation can also act as a good initial gauge to see the level of understanding and awareness users already have.
Working with a phishing training provider you can create a campaign that mimics a typical communication notice employees get sent so that users are unaware of what is happening and give you an accurate idea of the level of risk.
3. Publish and share the results
A critical part of an effective security awareness training program is to engage users and use feedback to encourage better and smarter habits. Doing this will ensure that you are not only creating more awareness of cyber security throughout your business but you’re effectively upping your level of protection on a consistently growing basis.
Once you’ve run your first official simulated phishing campaign share the results with your employees. This will help your team understand how poor habits can really put your business at risk. The key is to not allow this practice to turn into a blame game, or to name and shame those who fell for a phishing email. Instead, provide overall (and anonymous) statistics so those who did fall for the scam can see how and why without being publicly outed.
These statistics will also help the organisation as a whole, giving you the opportunity to create or use new training programs to fill holes in your security.
4. Don’t stop there
Security awareness training is an ongoing process. Once employees and stakeholders are engaged and can see the value of the programme, SMEs need to schedule training into the business processes. All companies are different but as a rule, it’s a good idea to run one or two campaigns a month, alongside regular training (one or two times) every quarter.
As you get more familiar with the process and build up a good base of training you may want to increase or decrease the frequency or adjust intervals throughout the year depending on your business and the current cyber security trends.
At Xenace, we created Phishwise, an interactive phishing simulation software to help businesses train employees to spot the signs of attack. With three different plans to choose from and easy to understand programs, it’s a great starting point for any business looking to improve its cyber security. Contact us now to see how we can help.