So, you want to launch cybersecurity awareness training in your workplace.
Good thinking! Criminals are targeting organizations of all sizes for fraud, malware, and other nefarious activities. Endpoint, network, application and cloud security are critical for doing business in 2021 – but technology is not enough.
The Canadian Center for Cybersecurity (CCCS), NIST, cybersecurity insurance policies, and more highlight the need for user training because in addition to criminals exploiting vulnerabilities in technology, they exploit people's behaviour and emotions.
People aren’t born knowing things like password best practices or phishing red flags. People also get busy and distracted. A cybersecurity awareness training program is an excellent way to teach employees to recognize, avoid and report threats, reducing cyber risk for your organization.
Properly trained employees aren’t just a cyber risk to be mitigated. They are a part of the solution.
Who this guide is for
Whether you’re a CTO, IT specialist, or an accountant doubling as the designated IT person, this guide will help you successfully implement a cybersecurity awareness training program for your organization.
These best practices are based on what we’ve learned from helping IT teams from all different types of organizations across Canada deploy training with our Cybersecurity Awareness Training platform.
Step 1 - Convince management you need training, yesterday
As cybersecurity awareness training becomes more commonplace, it might not take much convincing for management to be on board. Nevertheless, here are a few helpful tidbits that will help you get their support and ensure they understand that is a training program is critical.
It’s not only beneficial for senior management to give approval for a training program, but to be actively engaged and support policy or process changes. Cybersecurity awareness training is more than just taking a few courses – it’s about building a security-conscious culture. You are going to need help from outside the IT team to accomplish that!
1. Explain how you will measure the success of the training program.
Demonstrate the expected ROI of training by establishing a baseline and targets for metrics, such as:
Reducing time to deal with cyber incidents.
How much time/money has your IT team experienced due to a cyber attack, or spent replacing compromised devices? How many of those incidents were preventable if employees had training?
Improving phishing metrics.
If you plan to introduce a phishing simulation program, you can track its effectiveness with metrics like the ratio of users who clicked on a simulated phish to those who reported it to IT improves over time.
Improving employee knowledge and understanding.
How many of your employees confidently know the essentials of your organization's cybersecurity policies and processes? How many even know that such policies and processes exist?
2. Build a data inventory.
Give an overview of what data points you collect and store for your customers, clients, partners, employees and other stakeholders. Knowing the number of records your organization keeps and the sensitivity of the data can remind management what's at stake if a breach were to occur.
3. Find industry-specific and close-to-home articles.
A cyber attack can happen to any organization, big or small, and it doesn’t take too long to find an article that reminds management that cybersecurity risk is real and serious. Do a quick online search for "ransomware" or "cyber attack" + a location, and filter to show results from the past year.
4. Show how training will
comply with industry
NIST, PIPEDA, ISO Certification…reference whichever flavour of government regulations, legal agreements, accreditations, or insurance requirements apply to your organization and industry.
5. Use statistics to support the implementation of a training program.
94% of malware detected in small-medium-sized companies was received via email. (Verizon 2019).
1/3 of workers rarely or never think about cybersecurity at work. (Tessian, 2020).
96% of IT workers said security training was at least somewhat effective at reducing incidents (CIRA, 2019).
6. Show how training ties into your organization's mission and overall cybersecurity strategy.
Show management how training (or the "human" component) is an essential part of a modern cybersecurity strategy. And bring it back full circle. Tie how important cybersecurity is to serving your customers and keeping your employees safe.
7. Explain the type of training you want to implement.
Training can take many forms, from formal courses to lunch and learns. People learn in different ways, so a variety of formats is best. Phishing simulations are a method of training gaining popularity in workplaces - 37% of Canadian organizations reported doing this in 2020, compared to 21% in 2019 (CIRA Cybersecurity Report).
Phishing simulations are an interactive way to train employees and help them build that muscle memory of reporting suspicious emails—here's how.
Avoid cybersecurity jargon.
Keep your management team engaged by speaking like a real human and explaining terms when necessary.
Keep it positive.
The tone should be of empowerment and encouragement for your team to learn cybersecurity best practices, not shame employees for being liabilities.
Step 2 - Evaluate training options
What is the best method for delivering cybersecurity awareness training? The best option for one organization may not work for another. Here are some options for cybersecurity training for your employees and the pros and cons.
Free cybersecurity training online.
There’s plenty of videos out there on cybersecurity best practices. But relying on free resources for training does not give your IT team the opportunity to customize training. Generic videos won’t teach your users what your policies are regarding company passwords.
Create a training program yourself, in-house.
Organizations can do this if they have the time and resources to do so. It allows IT teams to build a fully customized program; however, it is resource-intensive to build something from scratch and properly maintain it.
Do one-time training with a consultant.
This isn’t a bad idea, particularly for specialized topics. But consider this: can you remember what you had for lunch last Monday? How do you expect your employees to clearly remember something they learned last year? One-time training doesn’t keep cybersecurity top-of-mind for employees or keep them up to date on evolving threats.
Do training through a third-party platform.
In our totally unbiased opinion, this is an excellent option to help save IT teams time and show them the direct results of their program.
CIRA Cybersecurity Awareness Training combines short, formal courses with reinforcement through ongoing, automated phishing simulations. This helps shape user behaviour and build a strong cybersecurity culture.
Step 3 - Prep and launch training
Before you launch, it’s a good idea to consider what training people need and how and when you will communicate with employees about the training program. A little prep will help improve employee participation rates and training effectiveness.
Determine who needs training.
Are you hoping to roll out training to all employees? Or just a few departments? Do you want to do a pilot program with one department first? Are there any other groups like contractors or co-op students that should be trained as well?
CIRA’s platform integrates with Azure AD Connect, Office 365 and G Suite, so you can easily customize training and view results segmented by department.
Plan out your training activities.
Training can be delivered many ways. It can include online courses, presentations, phishing (and/or spear phishing) simulations, remedial courses, and more.
The default initial training activities in CIRA's platform are:
Cybersecurity 101 courses: Four basic courses with quizzes at the end, taking about 30 minutes to complete all four.
Survey: Asking your users questions on their attitudes and behaviours regarding cybersecurity, taking about 5 minutes to complete.
Phishing simulations: A series of random phishing simulations will be sent to all users.
These three initial training activities establish a baseline risk score for each employee, department, and the organization as a whole. This can help you select what types of training your organization needs. Risk scores will go up or down over time based on other training activities you plan throughout the year, such as reporting monthly phishing simulations or taking supplementary courses.
Considering a blind phishing test to baseline your company?
Think again. Blind tests have a way of alienating employees and making them feel like they are not part of the solution. We recommend that you give employees a heads up that the first few phishing campaigns are coming and challenge people to report them.
Create a communications plan.
You need to ensure employees understand why training is important, what it involves, how they can complete it, and when the deadline is. You should work with other teams in your organization, like comms, HR, and senior management, to plan out a communications timeline covering these key messages.
To save you time, we’ve put together a sample communications plan that will bring you from the initial announcement of training to a reminder of the deadline to complete it. We’ve written out sample email invitations, key messages to include in your launch presentation and more.
Get employees to complete training.
While we all wish people were as excited to be cyber secure as you are, in reality, most people don't get too excited to have their bad habits pointed out in training.
Employees complete courses at a much higher rate if they're motivated and engaged. CIRA's platform gamifies training with risk scores, engagement scores and rewards. Beyond the built-in gamification elements, here are some tips to encourage employees to complete training.
Communicate how much time you estimate it will take to complete training. If employees know it will take less than 30 minutes, they are more likely to do it.
Start a friendly race to complete training. Every few days, share course completion progress by department.
Consider offering an incentive like a gift card to the first department to complete training.
Get employees who have completed training to share something they learned, or what their experience with the phishing simulations was like.
Share who has the top three risk scores in the organization and explain how they achieved a good risk score.
Share real articles of incidents and explain how they could have been prevented.
Audit for completion -- this is expected for many types of certifications. Use the audit to gently remind employees that are offside in a one-one conversation.
Add cybersecurity awareness training
to your employee onboarding program.
While you’re introducing training to all staff for launch, don’t forget to roll out the same program when new employees join your organization. Add it to the list of onboarding activities like WHMIS, AODA or whatever training matters to your organization!
In fact, many of our customers who don’t use LMS systems upload their courseware to our platform and use it for compliance auditing.
Step 4 - Analyze results and take action
Launching a cybersecurity training program is quite an accomplishment, but your work isn’t done, even if all of your employees complete the initial training activities.
Ongoing training and continuous analysis of risks will help you determine how to reduce cyber risk for your organization.
This screen shot is of the IT Risk Advisor section in the CIRA Cybersecurity Awareness Training platform, using sample data from the initial employee survey.
Review survey results.
In CIRA’s platform, the IT Risk Advisor section identifies risks based on survey results. The results show you what risks are most critical, so you can prioritize which ones you can mitigate first.
E.g. if the top risk identified is “user attitude toward password re-use”, some ways to mitigate this risk would be: assigning a course specifically on password best practices, updating your organization’s password policy, and rolling out an approved password manager.
Regularly review your dashboard.
The admin dashboard shows your organization’s overall risk score front and center, plus how it changes over time. Filter by department or look into individual risk scores to identify any higher risk scores to close any gaps and improve your overall risk score over time.
Analyze and report on your benchmark data for your success metrics.
Remember those success metrics you identified for your training program? Take stock of the results from the initial round of training activities and determine your plan of action for how you will reduce cyber risk over time.
Step 5 - Keep cybersecurity top of mind
Continue to reduce your organization's cyber risk and keep training momentum going throughout the year.
Send phishing and spear phishing simulations.
CIRA’s platform will send automated phishes once per month (selected randomly from 100+ templates), to keep people in the habit of reporting suspicious emails. No two employees will get the same phish at the same time.
Admins can send spear phishing campaigns as well. Custom, targeted phishing simulations typically have a higher failure rate, represent real-world scenarios, and provide a great learning opportunity that gets the company talking.
Avoid spear phishing backfire: Consider what's been going on in your company recently to avoid an insensitive phishing test. For example, if there were recent layoffs and you send an email about employee bonuses, people won't be too happy. Send a draft of your email to HR or internal comms for review before sending it out to your entire organization. Your goal as an IT admin is to send phishing tests that shape user behaviour - not tick people off.
Share cybersecurity news and incidents.
Occasionally you can share articles that are relevant to your organization (e.g. an article on an incident that took place close to home, or within your industry) and add a personal comment to your users. This reminds users that cyber incidents are real and that everyone plays a part in reducing cyber risk for your organization.
You can also share generic articles on cybersecurity - videos or reports - to keep cybersecurity top of mind. An example would be sharing the most popular passwords of the year, with a note saying that if any of those passwords look familiar...you should change them ASAP.
In our platform, you can consult the News Feed for recent articles and the Exposures section to identify real exposures of company data and give employees the next steps for what to do (e.g. reset your password for the exposed account and ensure you don't reuse passwords).
Track and report on your training success metrics.
Show how training, new policies, processes and other things you've implemented are working. Track how you're doing on the success metrics of your cybersecurity awareness training program.
With ongoing phishing simulations, there will be some concrete stats to share with employees.
For example, if you recently sent out a spear phish, you can share a report on how many people clicked on it and highlight what red flags were in the email so that your users can learn to watch out for those in the future. You could also show how many people reported it to IT and compare it to a previous spear phishing campaign, keeping it an overall positive message - show that more people are getting into the habit of reporting emails.
Assign new courses.
Cyber criminals evolve their tactics, so your training should evolve too. Assign supplementary courses based on new cyber risks you deem are threats to your organization.