Practical Strategies to Enhance Your Organization’s Information Security Awareness and Training Program
Regardless of company size, industry or maturity level, all organizations share a similar risk – the possibility of human error. Human error means unintentional actions – or lack of action – by employees and users that cause, spread or allow security incidents to take place.
Much of human error results from end-users simply not knowing the right course of action in the first place. The mitigation of human error comes from two angles: reducing opportunity and educating users.
The Problem with ‘One Size Fits All’ Training Programs
When it comes to educating users, many companies implement simple awareness and training programs. A simple awareness and training program typically includes:
Trainings assigned to all personnel - related to critical policies issued by the organization, for example:
- Code of Conduct training
- Acceptable Use Policy training
- Clear Desk Policy training
Trainings assigned to specific teams/ employees, depending on their day-to-day responsibilities, for example:
- Secure coding best practices trainings, assigned to software engineering employees
- Incident response training, assigned to the incident response team
Exercises to test the employees’ knowledge in real life, for example:
- Simulated phishing campaigns
The problem with this type of approach is that different employees in an organization have different levels of knowledge when it comes to information security principles and best practices. A ‘one size fits all’ training program is not effective, especially when it comes to Information Security trainings.
Six Strategies to Mature Your Information Security Awareness and Training Program
Here are some effective strategies you can implement to mature your organization’s Information Security awareness and training program:
To ensure your organization has the desired training exercise coverage in place, complete the following assessments and identify potential gaps:
- Assess regulatory requirements for trainings vs training exercises in place
- Assess published information security policies vs complementary training exercises in place
Obtain an understanding of your audience: Conduct a risk assessment of your employees’ knowledge of various information security topics discussed in your organization's published policies, as well as information security best practices. This exercise will provide you with better insight into:
- Who your high risk employees are – these employees should potentially take additional trainings
- The areas which do or do not require additional coverage in terms of information security training exercises
- The level of training coverage needed per policy or topic: Some topics and policies are straight forward and should only require annual sign off by the employees, while others are more detailed and require technical understanding to be followed accordingly
Consider which departments handle which data types: For example, if you are concerned about mitigating risk around sensitive patient health information, you could quickly identify which groups/ departments should take a specific training to address that risk
Design a training program that considers your resources and risk appetite: Depending on the size of your organization and given resources, the training program can be tailored to address risks on a company level, department level, or on an individual level
Determine appropriate training methods: It is widely known that different people learn in different ways. For your training program to be effective, training exercises must be engaging. Test out the effectiveness of different training methods on various audiences:
- Video content
- Interactive trainings (including quizzes to test out employees’ knowledge throughout the training)
- Articles
- Newsletters
- Tabletop exercises
Conduct department specific exercises to test the employees’ knowledge in real life, for example:
- Targeted phishing campaigns per department, considering suspicious emails that any given department may receive on an ongoing basis
The Bottom Line
An effective awareness and training program is a unique byproduct of each organization’s requirements, employees, resources, and risk apatite. Taking all variables into account when designing your awareness and training program will lead to its overall success.