I like the list in this article. One thing I’d add is: “Target training at those that show the most risky behaviour” which probably goes along with “Make training and testing relevant”…:
[…] Incorporate useful tools: Cybersecurity training has often been provided in an annual training module that attempts to cram every point into a 30-60 minute session. Most users are not inclined to really focus on cybersecurity for that length of time. Several companies have developed web-based training platforms that can be used to assign employees short, topic-based training modules on a recurring basis, usually monthly. These platforms also can provide additional information for employees to learn more about cyber security.
Practice using real-world examples: Phishing emails continue to be the leading way that malware makes its way into an organization. How do you know if your employees have learned what they’ve been taught about phishing email? Test them. Similar to the web-based training platforms, phishing email platforms have been developed to assist you in creating emails crafted to test your employees’ skills in identifying malicious emails entering your organization. When utilized in a systematic manner over time, it allows you to observe and measure the effectiveness of your training, and the organization’s susceptibility to attack.
Make training and testing relevant: When developing your training and testing plans, consider topics that will have personal relevance to employees. For example, your employees likely have active email or social media accounts they use daily. Make sure your training covers topics about the risks of social media and phishing emails they may expect to receive in their personal accounts. If you can link the importance of cybersecurity to their personal lives, employees will take it much more seriously and retain more of the learning.
Make the message visible: In the office, flyers and posters in break rooms and meeting spaces can help reinforce important messages. With many employees are working from home, switching up the approach is necessary to ensure they’re still keeping cybersecurity a top priority. Consider leveraging your company’s cybersecurity education platform and creating educational touchpoints through reminder emails, video lessons and employee newsletters.
Reward good performance: Employees are motivated by incentives, so consider rewarding individuals that have performed well on tests and make it public, which in turn may motivate others to up their game. It could be as simple as a certificate or a shout-out, or there could be tangible incentives like gift cards or other celebratory gifts. Likewise, a grading system could be used to motivate better employee performance. It also can help identify employees that may need additional attention.
Gather feedback: Find out from your employees what is and is not working in your cybersecurity education programs. Ask if they like the education or phishing tests, or if they think there’s too much training or if the tests are unfair or too hard. Employees are usually willing to provide feedback if they believe you’re listening. Be sure to respond to feedback, even if to say you believe the training or testing is working as expected and you do not plan to change. Opening up this line of communication could be an important step to improving incident reporting.
Be unconventional:“Thinking outside the box” may be an overused phrase, but it works. Bring in speakers to talk about security both from the company perspective as well as a personal perspective. Government agencies are often willing to speak on the topic of cybersecurity to organizations, as are companies that sell security products. Having an employee share an actual incident, whether it’s business or personal, can be eye-opening. When employees hear of actual real-world experiences, they gain more appreciation for the importance of cybersecurity.
Incorporating programs that help both the institution and employee identify potential cyber-attacks benefits everyone. Institutions with educational programs and tools based on these best practices will help build employee awareness of signs of threats in their personal and professional digital lives.