As always, when we get to this point in the year we realize that the months have flown by. Before we know it, 2019 will be upon us with new challenges and opportunities. From a business perspective, one of those opportunities is to focus on increased cyber safety and awareness. Regardless of how successful your security awareness training (SAT) program was in 2018, next year is a brand new start, and today is the perfect time to start planning.
Where should you start? The process will differ slightly based on your organization’s size and scope, as well as the degree to which you’ve implemented training programs in the past, but an important first step is to assess users’ current strengths and weaknesses. There are multiple ways to do this: you could deploy a quiz-style assessment (GLS offers a comprehensive one), or even send out a simple questionnaire that asks users how they would respond to different situations. Your goal is to discover where users’ knowledge is solid, and where it may be weak. From there, you can decide what next year’s program needs to target, whether it’s phishing, passwords, or anything in between.
Another key step is to examine the scope and content of your current SAT program. What topics are you already covering, and how do you approach them? Are you utilizing only standard courses, or do you also use gamified content or internal communication materials, such as related articles or print posters? Ideally, a healthy SAT program should expand from year to year, taking familiar content and formats and building on them. For example, if you’re deploying a single security awareness course, consider adding some additional short courses that could supplement users’ knowledge and refresh their memory over the course of the year.
Take the time to determine how well your employees relate to the training they’ve been receiving. Has your program reached users the way you’d like? Are they engaged and interested in the courses they take, or are they apathetic? Although this criteria might seem arbitrary or relatively unimportant, it is a crucial part of analyzing and improving upon existing training. Disinterested employees will disregard training and ultimately fail to follow security procedures. On the flip side, fully engaged employees are much more likely to retain and implement best practices. Evaluate how your users learn, what they relate to, and how your program capitalizes on those interests.
Finally, think pragmatically. Did your organization suffer any security-related breaches or scares in 2018? What risky emails did employees receive and/or fall victim to? Did you notice a trend of un-secure passwords creating issues for employees, personally or professionally? Looking at current organizational threats provides a good baseline for creating a new training program. Assessing the greatest risks to your organization can provide important guidance for prioritizing training topics or approaches.
Taking the time to plan, evaluate and adjust your security awareness training program can have a measurable and long-term effect on organizational security.
Click here to view our recent webinar where Joseph Williams, a solutions consultant with Global Learning Systems, will discuss 6 critical elements to consider as you plan your security awareness program in the coming year. You’ll learn valuable tips for evaluating the state of your current SAT program and get insight on the key items you must address, including: assessing your current threat landscape; understanding your organization’s behavior posture; determining the maturity of your program; deciding which elements to include; deploying your program effectively; and measuring success.