According to a recent study, just under half (45%) of the organizations surveyed don’t have security awareness training — or they have it, but make it optional (10%). The remaining 45% have mandatory security awareness training. What’s keeping nearly half of respondents from providing cyber awareness training and making it mandatory when phishing, ransomware and other threats are so rampant? We often hear these reasons:
- There’s limited executive support for mandatory training
- There are few internal resources available to implement and maintain a meaningful training program
- Security awareness training is competing with other required training for employees’ time
Security professionals sometimes have to compromise in the face of these challenges, and end up making security training optional for their users. But is that really the best solution? Are there other ways of working within some of these constraints and still implementing an effective, mandatory security awareness training program?
Here are three tips that will allow for an easier transition to mandatory cybersecurity awareness training
Tip 1: Start small
Security awareness training doesn’t have to push the boundaries of what users are willing to do. It’s not necessary to launch a comprehensive set of courses covering every possible threat in order to be effective. In fact, if your organization is not accustomed to mandatory training, deploying one or two shorter courses is a smart move. Not only will it reduce the training load on employees, it will also increase the likelihood that executives will back the idea, too. Your goal is to demonstrate that training is a doable project, rather than a burden on everyone involved.
Tip 2: Have a plan for encouragement and enforcement
Once cyber awareness training is mandatory, you’ll need to set the right tone that encourages users to take the training while emphasizing that it is mandatory and there could be consequences for not completing it. Your approach will vary based on your organizational culture, but consider these points:
- Give users a set period of time to complete the training–not too short, but not too long. The time period should reflect the importance of the training while recognizing employees’ other commitments.
- Clearly state how long training is, so employees understand how much time they will need to set aside
- Wordsmith notifications and reminders carefully, to kindly but firmly indicate to employees what is expected of them. Avoid punitive language, but if there are consequences to not taking the training, make those known as objectively as possible.
Tip 3: Build engagement through communication
Many training programs neglect to gain buy-in and engagement from learners. Employees are told to complete courses, but may not understand why. This approach inevitably leads to poor adoption and apathy toward training. Instead, convey why security awareness training is critical before you deploy it. Explain the topics in terms that employees will be familiar with, such as recent organizational incidents, or threats covered in the news.
Remember, transitioning to mandatory cybersecurity awareness training is likely going to be a gradual process. But if training is only ever optional, the training itself and what it teaches will never become a habit. Even one short mandatory course will be more effective than multiple optional courses that no one elects to use.
What Can You Do?
Get actionable advice on building a security culture in your organization in a recently recorded webinar “Developing Security-Minded Employees for Defense Beyond Organizational Boundaries.”