By Jason Hoenich on Nov 20, 2018
You can have the best technology and the smartest, most diligent employees, but security catches even the best companies by surprise. After all, criminals attack the vulnerable every 39 seconds.
Herein lies the power of a security awareness program. Not only does it get everyone up to speed on best practices, but it also puts everyone from the top down on a level playing field because—let’s be honest—who hasn’t fallen for a phishing scam? Take a look at these four best practices to get your company moving on a security awareness program.
1. Get Company-Wide Buy-In from Day One
A security awareness training program is bound to fail if your employees aren’t on board from day one. Everyone—from the CEO to Steve in marketing to Pam in operations—has to be sold on the importance of security awareness training. Whether your entire team is in-house or you have a remote staff, with company-wide buy-in, a culture of security can thrive and best practices will become embedded in everyone’s day-to-day. Even better, everyone will feel like part of the solution—not the problem.
2. Communicate, Communicate, Communicate
Remember that you need to communicate with the every level of the organization before, during, and after you start your security awareness training program. Employees need to know what to expect and why you’re launching a security awareness program and what the story behind the program is. Remind your team that cybercrime costs could reach as much as $2 trillion by 2019, so staying on top of security awareness is crucial to business operations. It’s also important to establish attainable goals and to clarify what the benchmarks are. If anything changes or crops up, make sure you update all stakeholders so everyone knows how they fit into the program.
3. Assess Security Susceptibility for a Baseline
You have to know what your baseline is in order to set goals and launch a program. Take your security awareness temperature by doing a baseline assessment of just how vulnerable your employees are. Having a solid view of your employees’ vulnerability to phishing and security scams will let you set goals and track progress before you even launch your program. If you want employees to open fewer sketchy emails and fall for fewer scams, then know where you’re starting so you can know where you’re going.
4. Assess, Reinforce, and Repeat
Once you’ve launched a security awareness program, you need to keep tabs on how it’s going and how your employees are performing. If you’re not running regular checks on the program and sharing those findings with stakeholders, your employees will just remember the program as another boring training cycle that went nowhere fast. You’ll want a way to collect and assess data—both qualitative (e.g., anecdotal feedback) and quantitative (e.g., training completion rates, rates of repeat responders). With plenty of data in hand, you can have candid and targeted conversations with repeat responders in order to find out why they’re clicking on phishing simulations and what they need to do to change their behaviors for good.
Globally, only 38 percent of organizations say they’re ready to handle a sophisticated cyber attack, according to ISACA International. You can change minds and people’s behavior when security awareness is a regular pursuit, so make sure to run phishing tests and offer self-service training to raise awareness and boost employee adoption of best practices.
If you’re ready to get ahead of the game and sell a security awareness program to your team, start by checking out our Basic Trial Platform today.