Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Creating Buy-In for a Cybersecurity Awareness Program

There is more to implementing a successful cybersecurity training program than to task IT with the job or conduct a quick Internet search to find an outside vendor.

In a day and age when an employee’s error can lead to a disastrous cyberattack, it is imperative organizations have a basic understanding of how to implement an awareness program that reaches all employees, is conducted at the correct pace by well-informed instructors and is helpful, informative, and not irritating.

Personalized Awareness and Training

When building a program, the first thing to remember is that a person is more likely to absorb a lesson if it directly relates to their everyday activities. So, provide content to employees specific to their roles and responsibilities at the company, make it relevant, and to the extent possible, ensure that the information is personalized.

Attack vectors vary, so it is important that staffers are exposed to a wide range of potential threats and learn how to protect themselves, both at work and at home. This exposure should occur from the start, during the on-boarding process and continued with regular refresher training. It’s even a good idea to host these around popular cybersecurity events, such as Safer Internet Day or Cybersecurity Awareness Month.

The organization must make an extra effort in designing these courses. Be creative, engaging, and collaborative. We’ve all gone comatose during a poorly prepared and long-winded PowerPoint presentation, so whenever humanly possible, please avoid running employees through a slide deck. If use of a slide deck is inevitable, plugging in some interactive elements is helpful. Storytelling and gamification are good strategies to look out for when creating an awareness program.

The sponsors of the security program (typically the senior leadership) want to see that the effort they put into a particular program is worthwhile and effective, so meaningful metrics must be developed to measure the success of the cybersecurity training and what improvements need to be made to future content. 

Finally, the program should take into account that the senior leadership team supports cybersecurity awareness and training.

Top management support is essential because it signifies that the program is supported and endorsed – it sets the tone from the top and demonstrates that the top management is actively involved. 

In addition, employees model behavior exhibited by their leaders. If those in charge approach security with a laissez-faire attitude, that is the effort they will receive from their staffers.

In-House Training or Hire a Vendor?

Creating a homegrown security awareness program is certainly possible as opposed to hiring an outside vendor, although there is a time and place for each type of approach.

In some cases, it’s simply a matter of whether or not an organization has the budget and resources to create a program or if an outside cybersecurity training firm would be more cost-effective.  

Also, to create a program organically, an organization should answer the following questions:

  • How big is the security team and does it have the time, capability and budget to implement the program?
  • Can the program be run by an existing learning and development team in consultation with a security advisor?
  • Can security champions within the organization be leveraged to further learnings, program planning, development, and deployment?

If an in-house team is not feasible for budgetary or personnel reasons, it makes perfect sense to look outwards. However, again, questions must be asked and answered.

For example, would the contract be a one-off engagement or run for an extended period? Do you need the vendor to supply a complete program, or could a limited contract be created that has the contractor providing a different flavor to the in-house program? Does the vendor have the ability to provide real-life examples and relatable ‘threat intelligence’ to help teach employees the value of cybersecurity?

Creating a Training Schedule

Cybersecurity, like all training, must walk the thin line between being offered often enough for the instructions to sink in and be reinforced, and being repetitious to the point where the students simply want to check off the required boxes and get on with their day.

A staffer’s first exposure to an organization’s training program should occur within a month at most of that person joining the organization.

Trainers should hold refresher general security awareness training at least annually. Practice phishing campaigns should take place at least quarterly and, realistically, should be automated as much as possible.

Additionally, the organization should supply staffers with topical security awareness material at least quarterly. One possible consequence of a person being bombarded with training material and classes is cognitive overload, so stagger training throughout the quarter and conduct them in 10 to 15-minute training modules. 

Using a Carrot or a Stick

We’ve seen several ways organizations incentivize their programs, including honorable mentions by top executives, naming security champions of the month, recognition for successfully reporting a phishing campaign and thank you notes. 

More physical rewards could also be incorporated, such as corporate branded candy, t-shirts, mousepads, stickers, notebooks, etc.

Supervisors should never mete out punishment failing a test or module of an awareness program. This action drives avoidance behavior and results in less engagement with the security team. Additionally, if punishment is a possible result of taking security training, employees might try to find shortcuts to avoid making the wrong choice instead of learning from a genuine mistake and/or lack of knowledge.

These are all understandable but highly undesirable outcomes. The goal is for employees to learn what to do if faced with a real issue, not to hide what has happened. 

Providing comprehensive training in an entertaining format covering the threat vectors within your business will make a big difference in your battle against digital adversaries. A mix of good monitoring, adequate threat detection, and user awareness is a recipe for success in today’s cyber threat climate.


18236_microsoftteams-image-1
CATALOG

Cybersecurity Education Catalog

This catalog provides Security Awareness Education Training programs and course options.

 

 

Latest Trustwave Blogs

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More