How to implement cybersecurity awareness training

Demonstrate the expected ROI of training by establishing a baseline and targets for metrics, such as:

Reducing time to deal with cyber incidents.

How much time/money has your IT team experienced due to a cyber attack, or spent replacing compromised devices? How many of those incidents were preventable if employees had training?

Improving phishing metrics.

If you plan to introduce a phishing simulation program, you can track its effectiveness with metrics like the ratio of users who clicked on a simulated phish to those who reported it to IT improves over time.

Improving employee knowledge and understanding.

How many of your employees confidently know the essentials of your organization’s cybersecurity policies and processes? How many even know that such policies and processes exist? 

Give an overview of what data points you collect and store for your customers, clients, partners, employees and other stakeholders. Knowing the number of records your organization keeps and the sensitivity of the data can remind management what’s at stake if a breach were to occur.

A cyber attack can happen to any organization, big or small, and it doesn’t take too long to find an article that reminds management that cybersecurity risk is real and serious. Do a quick online search for “ransomware” or “cyber attack” + a location, and filter to show results from the past year.

NIST, PIPEDA, ISO Certification…reference whichever flavour of government regulations, legal agreements, accreditations, or insurance requirements apply to your organization and industry.

• 94% of malware detected in small-medium-sized companies was received via email. (Verizon 2019).

• 1/3 of workers rarely or never think about cybersecurity at work. (Tessian, 2020).

• 96% of IT workers said security training was at least somewhat effective at reducing incidents (CIRA, 2019).

Show management how training (or the “human” component) is an essential part of a modern cybersecurity strategy. And bring it back full circle. Tie how important cybersecurity is to serving your customers and keeping your employees safe.

Training can take many forms, from formal courses to lunch and learns. People learn in different ways, so a variety of formats is best. Phishing simulations are a method of training gaining popularity in workplaces – 37% of Canadian organizations reported doing this in 2020, compared to 21% in 2019 (CIRA Cybersecurity Report).

There’s plenty of videos out there on cybersecurity best practices. But relying on free resources for training does not give your IT team the opportunity to customize training. Generic videos won’t teach your users what your policies are regarding company passwords.

Organizations can do this if they have the time and resources to do so. It allows IT teams to build a fully customized program; however, it is resource-intensive to build something from scratch and properly maintain it.

This isn’t a bad idea, particularly for specialized topics. But consider this: can you remember what you had for lunch last Monday? How do you expect your employees to clearly remember something they learned last year? One-time training doesn’t keep cybersecurity top-of-mind for employees or keep them up to date on evolving threats.

In our totally unbiased opinion, this is an excellent option to help save IT teams time and show them the direct results of their program.

CIRA Cybersecurity Awareness Training combines short, formal courses with reinforcement through ongoing, automated phishing simulations. This helps shape user behaviour and build a strong cybersecurity culture. 

Are you hoping to roll out training to all employees? Or just a few departments? Do you want to do a pilot program with one department first? Are there any other groups like contractors or co-op students that should be trained as well?

CIRA’s platform integrates with Azure AD Connect, Office 365 and G Suite, so you can easily customize training and view results segmented by department. 

Training can be delivered many ways. It can include online courses, presentations, phishing (and/or spear phishing) simulations, remedial courses, and more.

The default initial training activities in CIRA’s platform are: 

1. Cybersecurity 101 courses: Four basic courses with quizzes at the end, taking about 30 minutes to complete all four.
2. Survey: Asking your users questions on their attitudes and behaviours regarding cybersecurity, taking about 5 minutes to complete.
3. Phishing simulations: A series of random phishing simulations will be sent to all users.

These three initial training activities establish a baseline risk score for each employee, department, and the organization as a whole. This can help you select what types of training your organization needs. Risk scores will go up or down over time based on other training activities you plan throughout the year, such as reporting monthly phishing simulations or taking supplementary courses.

You need to ensure employees understand why training is important, what it involves, how they can complete it, and when the deadline is. You should work with other teams in your organization, like comms, HR, and senior management, to plan out a communications timeline covering these key messages.

To save you time, we’ve put together a sample communications plan that will bring you from the initial announcement of training to a reminder of the deadline to complete it. We’ve written out sample email invitations, key messages to include in your launch presentation and more.

While we all wish people were as excited to be cyber secure as you are, in reality, most people don’t get too excited to have their bad habits pointed out in training.

Employees complete courses at a much higher rate if they’re motivated and engaged. CIRA’s platform gamifies training with risk scores, engagement scores and rewards. Beyond the built-in gamification elements, here are some tips to encourage employees to complete training.

• Communicate how much time you estimate it will take to complete training. If employees know it will take less than 30 minutes, they are more likely to do it.

• Start a friendly race to complete training. Every few days, share course completion progress by department.

• Consider offering an incentive like a gift card to the first department to complete training.

• Get employees who have completed training to share something they learned, or what their experience with the phishing simulations was like.

• Share who has the top three risk scores in the organization and explain how they achieved a good risk score.

• Share real articles of incidents and explain how they could have been prevented.

• Audit for completion — this is expected for many types of certifications. Use the audit to gently remind employees that are offside in a one-one conversation.

While you’re introducing training to all staff for launch, don’t forget to roll out the same program when new employees join your organization. Add it to the list of onboarding activities like WHMIS, AODA or whatever training matters to your organization!

In fact, many of our customers who don’t use LMS systems upload their courseware to our platform and use it for compliance auditing.

In CIRA’s platform, the IT Risk Advisor section identifies risks based on survey results. The results show you what risks are most critical, so you can prioritize which ones you can mitigate first.

E.g. if the top risk identified is “user attitude toward password re-use”, some ways to mitigate this risk would be: assigning a course specifically on password best practices, updating your organization’s password policy, and rolling out an approved password manager.

The admin dashboard shows your organization’s overall risk score front and center, plus how it changes over time. Filter by department or look into individual risk scores to identify any higher risk scores to close any gaps and improve your overall risk score over time.

Remember those success metrics you identified for your training program? Take stock of the results from the initial round of training activities and determine your plan of action for how you will reduce cyber risk over time.

CIRA’s platform will send automated phishes once per month (selected randomly from 100+ templates), to keep people in the habit of reporting suspicious emails. No two employees will get the same phish at the same time.

Admins can send spear phishing campaigns as well. Custom, targeted phishing simulations typically have a higher failure rate, represent real-world scenarios, and provide a great learning opportunity that gets the company talking.  

Avoid spear phishing backfire: Consider what’s been going on in your company recently to avoid an insensitive phishing test. For example, if there were recent layoffs and you send an email about employee bonuses, people won’t be too happy. 

Send a draft of your email to HR or internal comms for review before sending it out to your entire organization. Your goal as an IT admin is to send phishing tests that shape user behaviour – not tick people off.  

Occasionally you can share articles that are relevant to your organization (e.g. an article on an incident that took place close to home, or within your industry) and add a personal comment to your users. This reminds users that cyber incidents are real and that everyone plays a part in reducing cyber risk for your organization. 

You can also share generic articles on cybersecurity – videos or reports – to keep cybersecurity top of mind. An example would be sharing the most popular passwords of the year, with a note saying that if any of those passwords look familiar…you should change them ASAP.

In our platform, you can consult the News Feed for recent articles and the Exposures section to identify real exposures of company data and give employees the next steps for what to do (e.g. reset your password for the exposed account and ensure you don’t reuse passwords).

Show how training, new policies, processes and other things you’ve implemented are working. Track how you’re doing on the success metrics of your cybersecurity awareness training program.

With ongoing phishing simulations, there will be some concrete stats to share with employees.

For example, if you recently sent out a spear phish, you can share a report on how many people clicked on it and highlight what red flags were in the email so that your users can learn to watch out for those in the future.

You could also show how many people reported it to IT and compare it to a previous spear phishing campaign, keeping it an overall positive message – show that more people are getting into the habit of reporting emails.

Cyber criminals evolve their tactics, so your training should evolve too. Assign supplementary courses based on new cyber risks you deem are threats to your organization.