Tips for Creating an Effective Employee IT Security Awareness Program

A shocking 75% of employees lack proper security awareness training, which leaves their organizations at risk for data breaches, malware infections and falling victim to other online threats.

A three-year security assessment over seven different industry sectors found that only a quarter of those tested were able to answer 90% or more security awareness questions correctly and 30% overall were rated in the “risk” category.

While companies often understand the need to take precautions for data security like having a firewall and implementing anti-phishing email protection, they’re often lacking when it comes to putting together ongoing training for their employees – who are the key target of attacks.

Reasons that contribute to employees being undertrained in cybersecurity include:

  • Training is only done upon hiring
  • Training is put on the back burner and not made a priority
  • There is no recurring training to ensure employees stay security aware
  • Employers don’t have a formal security awareness training program

Hackers target humans more than anything else when trying to inject malicious code into your system, so it stands to reason that arming your employees with the knowledge to defend against those attacks will significantly increase your overall cybersecurity. 

How to Get Started with an Employee Cybersecurity Awareness Training Plan

One of the biggest mistakes that companies make is to consider IT security awareness training as a “one and done” activity. While some of the information may stay the same, much of it changes and evolves as new threats are designed to attack corporate networks in different ways.

For example, there’s been a recent surge in attacks on Office 365 users with new tactics being used that weren’t seen just a few years ago. If users don’t know about them or aren’t trained to spot them, it’s easy for them to get fooled by an email that looks like a legitimate SharePoint file sharing message but is designed to take them to a spoofed Office 365 login page.

What does a strong employee cybersecurity awareness program look like? Here are some tips that can get you started on one.

Set Up Your Frequency of Training Schedule

Just like fire drills are held regularly to keep the procedures fresh in people’s minds, to ensure your employees not only expand their knowledge but also retain it, you should conduct cybersecurity awareness training regularly.

Decide which frequency makes sense for your company. Once every 6 months? Once a quarter? Once a month?

The longer you go without training, the more likely someone is to make a mistake when it comes to dealing with a security issue or threat, so choose something that’s more frequent than once a year, but that also doesn’t become so inconvenient that you stop it all together.

Split Training Topics Between Core & New

If you’re planning to conduct cybersecurity training every quarter, you might think, “But I’m telling them something they already know!” For retention, you do want to repeat certain core tenants of IT security, but you can do it in a different way. Plus, you want to include new information as well.

So, your training should be a mix of reinforcing strong knowledge of core security topics and introducing new information to keep your users sharp.

Some of the core topics that you want to touch on at each training include:

  • How to spot phishing emails
  • What to do when a phishing email is received
  • What to do if they click a link or open an attachment in a phishing email
  • Password security best practices
  • Data handling when it comes to sensitive information
  • Data privacy compliance (i.e. If your company complies with PCI, HIPAA, etc.)
  • Online safety when browsing websites
  • Public Wi-Fi security

Some of the new information that you want to include in trainings that may not have been in a prior training are:

  • New phishing scams (email and social)
  • New and emerging threats that have been identified
  • Specialty topics like Windows PowerShell attacks or “juice jacking

Use Available Resources 

You don’t have to create your entire cybersecurity training program from scratch. There are plenty of great resources that you can use. 

The first is to work with a trusted IT partner like Technology Visionaries to create your training and carry it out for you. One of the benefits of working with an IT professional is that they can answer questions for your users based upon years of experience and be there as a resource when a user sees something suspicious in their inbox.

Your second type of resource are online training materials that you can adopt and edit for your own awareness training program. Here are a few to get you started:

  • National Cybersecurity Awareness Month (NCSAM)
  • Infosec
  • U.S. Department of Health & Human Services (HHS)

Create a Solid Foundation for Strong Data Security

Technology Visionaries can help your company lay down the solid foundation needed to ensure you’re covered when it comes to data and network security. This includes training, anti-phishing tools, and many other security measures.

Schedule a free IT security assessment today by calling us at 732-587-5960 or using our contact form.