By George Anderson

George Anderson

The question for this edition of “Ask a Security Expert” comes to us from Mike Dunn, a project manager at Adtech IT Solutions, who asks, “How can I create better training for my employees?”

As cybersecurity threats continue to evolve, managed service providers and small and medium-sized businesses must work to continuously educate themselves and train employees to help reduce business risk. An absolutely crucial component of this education is ongoing employee security awareness training. Here are some tips on how you can get your security awareness training program up and running.

Getting Your Program Started

Build the foundation: When getting your program off the ground it’s vital that you engage with employees, team members and management from the get-go. Doing so will build a foundation for the program and set it up for success. A good first step is to send a companywide email highlighting the value of security awareness training and explaining the training campaigns employees can expect to take part in. Buy-in from all levels will help shape a culture that values security.

Get (fake) phishing: Starting out your security awareness training program with a simulated phishing campaign will give you a number of resources that can be leveraged down the line. First, it will give you a baseline understanding of the awareness your employees already have when it comes to phishing. Second, the results of the simulation will help demonstrate the need of the program to any management or IT decision makers who are skeptical about implementing the program.

For this first baseline test it is best to mimic an email from an internal department, like HR or IT, as this will likely get most employees to open the message. Additionally, consider having your phishing link lead to a “404 Page Not Found” message. This will keep employees who clicked unaware that they were “phished” and keep them from talking about it with others in the office, giving you a more accurate baseline. As time goes on, you can switch the phishing links to redirect to training pages and courses to maximize the amount of training material your employees engage with.

Share feedback: Compiling results and sharing feedback from the simulation companywide will prompt smarter cyber habits from employees. For example, sharing the data from the simulated phishing campaign can help employees understand the consequences of poor email habits and encourage them to change their behavior.

Remember, the goal isn’t to shame anyone who clicked. Instead, share the results in a collective report so individuals can recognize whether they clicked or not without fear of embarrassment. Additionally, a companywide report will give employees insight into the statistics around the organization as a whole.

Keep it up!: Now that employees have seen the results and the value security awareness training can bring to the organization, the next step is to set up an official training program. While there’s no set formula for a training program, it’s recommended to run a minimum of one to two phishing simulations…

…per month and at least one to two training courses per quarter. With a steady program in place, there’s no doubt you will begin to see the significant impact that security awareness training and education has on your employees.

Reduce the Risk

While businesses may believe their employees have enough awareness to pick out a phishing email and not be duped, cybercriminals continue to use this method of attack for one crucial reason: It works. With ongoing training that includes phishing simulations and courses on cyber hygiene and best practices, businesses can reduce the risk of a data breach and be more resilient against cybercrime.

George Anderson, director of product marketing at Webroot, has spent the past 16 years in the IT security industry and is currently Webroot’s product marketing director for endpoint, web and mobile security solutions. Prior to this he founded the Wasey Campbell-Ewald Direct Marketing Agency and held senior executive roles at Ogilvy & Mather Direct and McCann-Erickson Direct. Follow him on LinkedIn or @andersongj on Twitter.