Eager to launch training, but want some help on how to best communicate it to your employees?
The following guide includes suggested communications activities that will help your staff
- get excited about training,
- know why your organization is rolling it out, and
- understand what is expected of them.
This guide is based on best practices from CIRA's experience helping onboard customers across Canada. Every organization is different – use this guide as a starting point and customize it to meet your needs of your users.
Tips before you get started:
Review this plan with other teams.
IT, HR, Employee Communications, and Senior Management are teams that are commonly involved in the launch of training programs. We've found it impactful to have the initial email announcing the training program come from Senior Management.
Set a launch date and training deadline.
Your launch date will be when you will send users an email to get set up on the platform and when they can begin training. Your training deadline should be 20-40 days later, giving enough time for employees to complete training.
Considering offering an incentive for completing training.
Some ideas for incentives are entering names in a draw for a prize after users complete their training, or giving an award to the department that has the lowest score by a certain date.
Consider doing a pilot launch.
Many of our customers have launched training with one department (such as IT) to get feedback from a highly-involved user group. This way you can work out any of the kinks and better customize the launch plan for your organization.
Communications launch timeline
|Suggested timing, based on your target dates for launch and training completion.||A description of the activity and a link to a written template or more info.||The people responsible for producing and reviewing each activity.||The purpose for doing this activity.|
|7-14 days before launch day||Meeting invitation for training overview||Senior Manager to send||Give staff a first, positive introduction to the program.|
|Day before launch day||Meeting reminder||Senior Manager to send||Remind staff of the importance of attending the meeting.|
|Launch day||Launch day: 30-minute meeting on introduction to training||IT/Platform Admin to present||Give staff a training roadmap and explanation of why cybersecurity is everyone’s responsibility.|
|Launch day||Recap email, send slide deck/recording||IT/Platform Admin or Senior Manager to send||Ensure anyone who missed the meeting will still receive important information. Have an email for people to refer back to.|
|Launch day||Send setup email to users||IT/Platform Admin to send via the platform||Enable staff to access the platform immediately after they learn about the training.|
|2-5 days after launch day||Share training completion progress, kudos and tips||IT/Platform Admin to send to company-wide chat or newsletter||Positive reinforcement for completing training, sharing best practices, incite friendly competition to encourage staff to complete training.|
|1 day before training deadline||Final reminder of deadline||IT/Platform Admin to send||Encourage completion of training.|
Meeting invitation for training overview
Protecting against the growing number of online threats takes more than technology.
While *insert company name continues to invest in new security technologies and improvements to critical tools, everyone in our community can play a critical role in preventing cybersecurity incidents.
Organizations across the world continue to face a growing number of threats with malicious individuals, organized crime and even nation-states targeting individuals for financial gain, intellectual property theft, hacktivism or just to spread fear, anxiety and chaos.
With that in mind, *insert company name is adopting a new cybersecurity awareness tool called CIRA Cybersecurity Awareness Training. This is a mandatory program for all employees. Please join us on *insert date to learn more about the program, including a brief overview of what’s required, and a short demo of the platform we’ll be using.
This is a friendly reminder that tomorrow *insert presenter(s) will be sharing important information about our upcoming CIRA Cybersecurity Awareness Training launch. Everyone at *insert company name has a role to play in reducing cyber risk. Please join us to learn more!
Launch day: 30-minute meeting on introduction to training
Key messages and ideas for presentation:
- Share what baseline training they are expected to complete. The default baseline training takes about 30 minutes to complete and comprises of a survey, four courses, and a series of phishing simulations.
- Explain how the risk score works. Each employee will get a personal risk score that is calculated from four main categories: exposures, incidents, awareness and rewards. The goal is to lower your risk score as much as possible.
- Exposures: If your email address has ever been involved in a data breach your score will be impacted.
- Incidents: Clicking on a phishing simulation or being involved in any security bad practices will impact your score.
- Awareness: Completing all your security training will reflect positively in your score. You can also complete supplementary courses to improve your risk score.
- Rewards: You will receive rewards that will positively impact your score by reporting any phishes (real or simulated).
- Share when the training deadline is.
- If you are providing incentives for teams or individuals to complete training, share what they are.
- Do a live screen-share to demo the platform, showing the personal dashboard, courses, the survey and other relevant areas.
- Show what the set-up email will look like, so they know what to expect.
- Explain phishing simulations:
- Show what the phish forward button looks like (or share what the phish forward email address is).
- Show what will happen if they successfully report a simulated phish (their score improves).
- Show what will happen if they click on a simulated phish (landing page showing the cues they missed so they know for next time).
- End on a note of encouragement – “Let’s see how many phishing emails we can collectively catch!” Share that you’ll be giving updates regularly with tips and kudos to those who have completed training and catch some “phish.”
Recap email, send slide deck/recording
Thanks to everyone who attended the CIRA Cybersecurity Awareness Training launch meeting today. For those of you that missed it, the deck is available here: *insert link/location to deck or recording.
You will be receiving an email from *insert the "from" address you've configured for System Emails shortly. It is not a phishing simulation! Please follow the instructions to set up your account on the platform. Once you’re in, you’re welcome to start training! Once you’re done the survey and four courses, you will begin receiving simulated phishing emails – remember, if you see any suspicious emails in your inbox, please *select the new “Report a Phish” button/forward it to *insert phish forward email.
Send welcome email to users
- Navigate to “Configuration” then “System Configuration”. Select the “Emails” tab and ensure system emails are enabled.
- Navigate to “Division Management”, then “Division Users”, click on the “Actions” button and “Resend Welcome Email”, where you will be able to select users, divisions or the entire organization to receive the welcome email.
Share training completion progress, kudos and tips
Ideas for sharing progress updates:
- Give kudos to the first individuals or departments that complete training. You are able to view this in the “Reports” section by selecting “Course Summary Report”.
- Share regular updates comparing each department’s % of training completion
- Share updates on phishing simulation data, such as how many phishing simulations total were caught by the organization.
- Remind users of the tips for spotting a phishing email.
- Talk to three people who have caught phishing emails in different teams – ask and share how did they know it was phishing? What tips do they have to pass on?
- Share which employees or departments have the best (lowest) risk score
Final reminder of deadline
This is a reminder that the deadline is tomorrow at *insert time to complete the initial training for CIRA Cybersecurity Awareness Training. Here is a link to login: *insert link
The courses and survey take only about 30 minutes to complete. Ensuring everyone has baseline cybersecurity awareness knowledge lowers the cyber risk for our organization.
Having your staff complete the baseline training is just the beginning of cybersecurity awareness training!
Admins will start to see the real value of the program in the months ahead - by analyzing the survey results to identify risks and implement policies to mitigate them, and seeing how your users build the muscle memory of reporting suspicious emails. Refer to our Guide to Implementing Cybersecurity Awareness Training to learn more.