Companies are often hit or miss with their employee security awareness training. Some might hold a session once a year, while other businesses hand out a security sheet during the onboarding process and that’s about it.
According to Proofpoint’s 2020 State of the Phish report, 43% of organizations dedicate a maximum of 2 hours to employee security awareness training each year. That’s not a lot when you consider the devastation that a cyberattack can do to a company.
The average annual cost of cyberattacks for a U.S. small business is $25,000.
Training employees regularly on cybersecurity best practices is an important component of your overall IT security strategy. Employees are often on the front lines of cyberattacks, being targeted by phishing through email, text messages, phone calls, and over social media.
You can’t just do an hour or two of training once per year and expect the human part of your security plan to be effective. Employees need ongoing training that’s going to prepare them for the threats that they’ll be facing daily.
Proper Employee Security Awareness Training Can Reduce Risk Significantly
Taking the time to put together an ongoing training program for your employees to sharpen their security skills can pay off through a significant reduction of risk for a business.
According to a study by the Aberdeen group, increasing budgeting for security awareness training helps to change risky employee behaviors that can lead to data breaches and malware infections.
How much is risk reduced? The study found that the risk of falling victim to a cyberattack decreased between 45-70% when companies focused on employee security awareness training.
Tips for Engaging & Effective Employee Security Awareness Training
One of the best ways to instill a culture of security awareness in your organization is to use a variety of different types of training. For example, you don’t want every cybersecurity training to include one person talking through a PowerPoint. Engaging training covers different subjects in different ways.
Here are some of the most popular ways to build employee security skills:
- In-person training sessions
- Computer-based training
- Simulated phishing attacks
- Newsletters & emails
- Awareness posters & videos
- Smishing or vishing simulations
- Cybersecurity-based contests and prizes
- Email reporting button to report suspicious emails
Let’s look at how some of these can be used to beef up your employee security training program.
In-Person Training Sessions
In-person training sessions are effective bookends to other types of training, like videos, simulated attacks, etc.
This is where you can re-emphasize the importance of a culture of cybersecurity and tie together the different elements of your training program.
You can also use an in-person event to reward those individuals or teams that have exhibited improved cybersecurity and discuss upcoming training, so employees know what to expect.
Computer-based training allows employees to learn at their own pace. Training can be engaging, through the use of videos and audio to get certain points across.
Using a tool like Microsoft Viva in Teams can allow you to more easily make computer-based security awareness training a natural part of a person’s weekly or monthly “to-do” list and continue growing IT security awareness.
Simulated Phishing Attacks
Simulated phishing attacks are particularly helpful to gauge the effectiveness of your training program. Have fewer employees clicked a fake phishing link than the last drill? Is there one department that seems to be lagging behind the others?
These drills can help employees hone their phishing identification skills and give you insights that guide your training activities.
Newsletters, Emails, Posters
A great way to keep cybersecurity at the forefront of people’s minds is through mentions in your company newsletters, email signatures, or posters that you put up throughout your building.
Put an “IT security tip corner” in your newsletter or a link to the most recent cybersecurity video that employees should watch. These reminders and visual cues of best practices help reinforce all the other training that you do throughout the year.
Suspicious Email Reporting
Whether you do it through a button or an email address that suspicious emails are forwarded to, it’s important to give your team a way to get a second opinion on a strange email.
It provides an action an employee can take that isn’t just wondering if an email is real or not.
For example, an accounting employee may get an email from what appears to be your bank’s customer support department asking them to follow a link to change their login password to online banking due to a recent breach.
The employee doesn’t want to ignore the email if it’s for real, but they also should question this type of email because this tactic is commonly used in phishing attacks.
Providing that person a place to send the email for verification (to your IT team or IT partner) gives them closure that they haven’t just left a potentially important email unaddressed. It also reduces the risk that they’ll click the phishing link and end up compromising their login details.
Get Flexible Training Solutions for Your Employees
Rocky Knoll Technologies can help your Charlotte area business implement employee security training that is engaging and builds the skills of your team to reduce your risk.
Contact us today to schedule a free consultation. Call 704.594.7292 or reach us online.