The Fundamentals of a Security Awareness Program
Whether you’re just getting started and don’t have a security awareness program in place, or you’re looking to build on to an existing program, for cybersecurity awareness month this year we’re bringing it back to the basics and covering the fundamentals of a security awareness program.
What is a Security Awareness Program?
A security awareness program is a way for you to protect your organization from cyber risk. It should consider your technological security, physical security and human security. While all 3 components are essential to a well-rounded cybersecurity awareness program, in this blog we’ll be focusing on human security.
Human Security
Organizations are starting to invest more in human security by training and educating their employees on the important role they play in protecting the organization. Although we can put physical and technological controls in place, cybercriminals are going to continue to target people in ways that physical and technological security will not always catch. This is why it’s so important to empower your employees to be in control of the technology they use everyday.
When communicating the important role employees play in their organization’s cybersecurity efforts, remember not to use FUD: Fear, Uncertainty and Doubt in your security awareness program. While stressing the multiple avenues of attack and the risks associated with cybersecurity are important, overwhelming employees with potential breaches and other statistics can cause fear and make them afraid to even open emails containing a link. Instead, make them feel empowered and confident in their ability to recognize and report cyber risks.
To empower your employees to be your organization’s best first line of defense against cyber threats, we’ve provided the baseline for how to start measuring the success of your security awareness program.
Creating a Baseline to Measure Success
1. Create a Survey
Create a survey with questions related to an employee’s contribution to protecting their organization and focus on how they feel about cybersecurity. By analyzing these results, you can gain a good understanding of how different departments and employees feel about cybersecurity and the role they play in protecting their organization. You can use this survey to identify any gaps in understanding and create training to address those gaps. To measure your program’s success, have employees complete this survey on an annual basis and compare the results to see which areas have improved and which may need further attention.
2. Deliver Educational Training
Training is a key component to a security awareness program and should not be considered done after it’s initial completion. Training should occur at a frequent and regular basis so that cybersecurity becomes an integral part of your organization. Incorporate basic cybersecurity training into your onboarding process and continue to train employees on a frequent basis in short sessions to maintain attention and engagement. Consider delivering training that is consistent with real threats your organization is facing so your employees can be prepared to recognize and report suspected threats.
3. Send Phishing Simulations
After initial training, continue to phish your employees regularly. We recommend phishing employees on a monthly basis in order to best track individual, departmental and organizational improvement. An important component of phishing is rewarding employees for recognizing and reporting phish. This can be as simple as following up with them to congratulate them on catching the phish, giving them a shout out in your communications tool or providing some other reward such as a certificate or other prize. By rewarding employees for reporting phish, you are encouraging them to continue this good cyber behavior.