Creating a Winning Security Awareness Program

By Aaron Pollan ·

If you work with credit cards, personal identity information or other confidential information, chances are you are required by law to provide your employees with security awareness training.

There is a little doubt that education and training can improve your company’s security culture, but how you deliver that training to your employees can transform it from an afterthought that is forgotten in a week, to an initiative that has real and lasting change in your organization.

Turning Your Employees into Security Multipliers

Everyone in information security wishes employees would stop making what they consider “silly” mistakes. With the right security program and training, you can turn your employees from security liabilities to security multipliers. An educated employee who can avoid phishing emails or viruses allows IT and information security teams to focus on the big picture instead of constantly fighting a series of small battles.

Why doesn’t all security awareness training have this effect? Most training suffers from neglect. The training is thought of as a burden. Something that has to be done but that can be taken care of at the last minute.

The problem is that no single security awareness training session will completely change your company culture on its own. Sure, a great security awareness course that uses hands-on exercises, real-life scenarios to train people in skills they are going to use every day and gets your employees talking about security is a thousand times more effective than a boring PowerPoint presentation or throwing information at them. However, while it may meet compliance guidelines, a one-time training effort session is not enough to change your security culture.

West Point completed a study on using a phishing education program to combat phishing. The study found that right after the program was completed they saw dramatically lower rates of people fall victim to attacks. However, as time passed cadets quickly forgot the lesson as they went about their daily actives such as classroom work, exercise or an instructor screaming in their faces about pushups. It was only by reinforcing those concepts over time with further training and reminders that cadets again remembered how to effectively stop attacks on a consistent basis.

Make a Security Awareness Program Your New Year’s IT Resolution

Since it’s the New Year and the time for resolutions, make this year the year you turn your security awareness training into an effective security awareness program. Here are some guidelines that can help you make the change:

  • Develop a year-long rollout schedule. The key to a program that makes real change is to develop a schedule that takes place throughout the year, not just once. Your goal is to keep security in the front of your employee’ minds.
  • Choose a solid eLearning base. Pick a security awareness course that avoids rote learning, engages your employees and provides hands-on training. Employees will remember a course that creates an emotional connection with them, not a dull, lecture-based class. Roll out the course in sections throughout the year to continually train your employees.
  • Reinforce your main eLearning message. As you deliver training throughout the year, don’t let it simply work on its own. You can take easy (and free) steps that remind people about security. Small weekly tips via email, information about companies who have been hacked, newsletters about security or awards to those with secure work areas will all go a long way to keep people aware.
  • Obtain buy-in from senior leadership and department heads. If other leaders know about your plan and how it will positively affect their department, they will help you make sure everyone completes the required training.

Keeping Your Resolution

We all know that while it’s easy to make a resolution, it’s a lot harder to keep them. You can make sure you follow through and achieve your goal by enlisting a support team.

Start by sharing the responsibility with several other people in your department. Head up the program, but don’t try to support it completely on your own. Put yourself in charge of administration, another coworker in charge of queuing up the next eLearning course and sending reminders, and a third in charge of sending out the weekly security tip. By making other people part of the team you can ensure that the program doesn’t dissolve or fall apart.

Now go forth and make 2013 the year when you change your company’s security culture!