Best Practices for Security Awareness Training

Kevin Lancaster, General Manager of Security Solutions at Kaseya

1/7/2020

When it comes to training hotel staff on IT security, there are two key factors operators must keep in mind: the information needs to be easily digestible and it needs to get to the point, quickly. Often, companies will use videos to try and train staff. However, they’re frequently ineffective.

I have seen many training videos that were desperate to be hip and engaging but wound up coming across as a bad joke. Even if they had succeeded at being engaging, they were usually way too long. It doesn't matter how great the data in your video is - if it's over five minutes long, no staff member is paying attention to it, and they're dreading having to watch it. If your employees are dreading or annoyed by your training, they're not actually going to retain the information.

Instead, companies should aim to have their training videos be between three and five minutes long. They should establish the subject and educate employees on the topic without trying to be flashy. The videos should be followed by a quick quiz that is easy to answer provided the respondent was paying attention to the training. Remember: You aren't trying to stump the staff, but at the same time asking "Is Phishing Bad? Yes or No?" doesn't actually demonstrate that those staff members ingested any of the video’s information.

At the end of the day, the intent of any training, but especially security awareness training, should be that the recipient demonstrates that they have adequately received and internalized the information. If your training doesn't do that, you're effectively crippling the rest of your organization's security right out of the gate.

In addition to passive training methods like videos, companies should also employ active training methods. Passive training has its place and is a solid foundation for building a culture of security, but companies can and should build on that foundation.

One of the most effective types of active training is phishing simulation. As the name implies, you mail out simulated phishing attempts to people in your organization and track their response. This helps you to get a better sense of security awareness of individuals in your organization. While one employee might be on top of their game, another might be submitting data to every phishing email that he gets. So it’s best to direct limited training resources where they're most needed. I've also seen cases where just knowing that phishing simulation goes on in the organization and that their management sees the results improves staff member caution when thinking of clicking on sketchy emails.

I've even seen some organizations implement the following scenario: IT will intentionally leave out random USB drives to see which employees pick one up and what they do with it. This allows the IT team to track whether or not people immediately brought the USB to them or if they instead plugged it into their machine.

Where IT had access to credential compromise monitoring, I've seen IT staff go and attempt to use those credentials on their organization's network. On the side of training specific to IT staff members, simulating disaster recovery or incident response can be a very powerful tool. The important takeaway with any simulation training is that it needs to be as realistic as possible. You train how you fight, and if you train less realistically you're going to be at a serious disadvantage when the real threat comes along. On the other hand, if the training is identical to the real thing you'll be faster on the draw, and it'll just be something you've done dozens or hundreds of times.

Employing positive reinforcement of training is a critical element of creating a company culture of security. Negative reinforcement has its place, but like any other organizational effort, if you only provide negative reinforcement for non-compliant employees, they will only be compliant enough to not be fired. If your organization gives out regular awards, add an award for cybersecurity. If you use active training simulations as you should, give whoever does best over the quarter a gift card. Tie cybersecurity into performance reviews. Do whatever it takes, as long as you're also sending the message to your employees that you value them, and their contribution to the security of the organization.

When this gets brought up, many organizations wrongly believe that they're being told they need to devote significant resources to their positive reinforcement programs but nothing could be further from the truth. A small reward once a quarter can go a long way. Most likely your organization already has a positive reinforcement system in place, it just needs to add a specific tie in to cybersecurity. Employees like feeling appreciated in their workplace. Fostering a culture where cybersecurity is appreciated and prioritized not only benefits the employee but the workplace as a whole.

Related Topics