How to create a cybersecurity awareness training program

Why is cybersecurity awareness training important?

When an organization's employees don't understand cybersecurity threats and their own roles in protecting systems and data -- and, therefore, the company itself -- they are likely to inadvertently or intentionally undermine security controls. This can result in attackers compromising their accounts, which can lead to devastating security incidents.

Proofpoint's annual "State of the Phish" report consistently finds the majority of organizations deal with successful phishing attacks in a given 12-month period. The survey has also found end users continue to hold the following dangerous cybersecurity misconceptions:

• Any email from an internal corporate address is trustworthy and doesn't contain malware.
• Hyperlinked text in an email always leads to the expected URL.
• Email providers can automatically block all malicious messages.
• Malware from a malicious link or attachment can't spread beyond the computer of the individual who opens it.

A plethora of similar research underscores the importance of more effective cybersecurity awareness training programs. Just one uninformed or inattentive employee can trigger a serious security compromise that could, in turn, pose an existential threat to the organization.

How to create an effective cybersecurity training program

No enterprise sets out to create an ineffective cybersecurity training program. Although organizations want to engage employees and better prepare them to work securely in today's threat environment, many programs simply fail to reach their objectives.

Here are six steps security teams can follow to ensure their training programs meet the mark.

1. Get executive buy-in

Cybersecurity awareness training should be part of a broader organizational security culture that starts at the top. Strong executive support can do the following:

• Ensure a training program gets the resources it needs to succeed.
• Position participation as a top priority for all users.

If management treats cybersecurity awareness training as a box-checking exercise, other employees are unlikely to take it seriously.

To win buy-in from top executives, avoid technical jargon when making the business case for cybersecurity awareness training. Explain the potential impact if, for example, an end user with elevated access privileges falls for a ransomware lure. Then, communicate how a strategic, thoughtfully executed cybersecurity awareness training program can mitigate such risks.

2. Set risk-based objectives

Business risk should drive all cybersecurity strategies and initiatives, including the cybersecurity awareness training program. Conduct risk assessments, and use them to inform security training objectives in the following ways:

• Identify the areas where employee behavior has the most significant impact on overall cyber-risk levels. Prioritize related training topics.
• Identify employees, based on their roles, whose behavior most significantly affects overall enterprise risk levels -- for example, those with elevated administrative privileges or with access to protected data. Prioritize their training, and consider engaging them in more extensive and frequent training than general users.

3. Engage employees

If cybersecurity training is dull, game over -- users tune it out. That said, content doesn't need corny humor or silly stories to engage its audience. Rather, it should speak to the employee's point of view and underscore the real consequences of poor cyber hygiene. Consider sharing stories of real-world attacks, which have built-in human drama -- with good guys and bad guys -- that audiences often find inherently engaging. Then, discuss actionable lessons trainees can learn from these internal or external security incidents.

Important: Keep it short! A series of five- to seven-minute videos is far more likely to hold the viewer's attention than a single 45-minute monologue, no matter how well produced.

4. Use a variety of formats

Because different people learn in different ways, cybersecurity awareness training requires a multipronged approach. The more mechanisms an organization uses to share its message, the more likely it reaches diverse members of the target audience.

Consider the following training formats and channels:

• Live training, either in person or via video conferencing.
• On-demand video training.
• Interactive training and gamified training modules, available from third-party service providers.
• Regular newsletters that share cybersecurity and cybercrime news -- e.g., recent data breaches, new phishing threats and enterprise security policy updates.
• Dedicated channels on collaboration platforms, such as Microsoft Teams or Slack, where users can find security content and news.
• Short discussions in team meetings about cyber hygiene and security awareness.
• Educational lunch-and-learn sessions.
• Informational posters in high-traffic areas of the office, such as kitchens and break rooms.
• Easy-to-read and accessible documentation that recaps cyber hygiene best practices and organizational cybersecurity policies.

Experiment often, and keep what works.

Remember that cybersecurity awareness training is not a one-and-done proposition. Rather, it must start with the onboarding process and continue throughout an individual's tenure at the organization. Think of cybersecurity awareness as a muscle the employee must regularly use to build and maintain strength, ideally through a variety of diverse exercises.

5. Measure effectiveness with phishing simulations

When it comes to assessing effectiveness, traditional post-training quizzes typically miss the mark. Often, the questions have obvious answers that participants can easily guess without absorbing the content. Make the questions too difficult, on the other hand, and an organization could face the problem of widespread employee failure. Regardless, these are not meaningful or actionable metrics.

Mechanisms such as phishing simulations can better evaluate the awareness levels of users on the ground, both collectively and individually. If most of the user base is clicking on simulated phishing emails, for example, then the entire cybersecurity awareness training program might need an overhaul.

If, on the other hand, only a small percentage of end users falls for a simulated phishing scam, then the security team can follow up one on one to address knowledge gaps. Many MSPs now administer sophisticated phishing simulation campaigns, as well as targeted follow-up engagement.

Never shame or chastise employees who click on simulated phishing messages, as doing so can breed hostility, fear and resentment. Rather, frame mistakes as learning opportunities, and encourage a growth mindset.

6. Maintain and update training

Organizations should regularly update training materials for two major reasons. First, nobody finds stale reruns of cybersecurity content engaging. Second, a business's operating environment and threat landscape constantly evolve, and training should reflect those shifts.

When reviewing and updating training strategies and content, pay particular attention to any actionable data that emerges from simulated phishing campaigns and other interactive training initiatives. If, for example, an unusually high percentage of participants opens a mock phishing email on their mobile devices, compared to baseline failure rates, this suggests a need for mobile-specific training.

Most important cybersecurity training topics

While cybersecurity awareness training curricula should reflect an organization's risk-based priorities -- as well as, ideally, individual users' roles -- some topics are universally important.

The following are crucial to include in any security awareness training effort:

• Phishing attacks. Although it's one of the oldest cyberthreats, phishing remains highly effective. Verizon's annual "Data Breach Investigations Report" consistently finds phishing emails among the most common threat actions in cybersecurity breaches.
  
  Security teams across virtually all organizations must teach employees to follow email security best practices and educate them to recognize and handle suspicious messages appropriately. The need for this type of training only becomes more urgent as generative AI threatens to make phishing campaigns more sophisticated and convincing than ever.
• Social engineering attacks. While phishing is the most common type of social engineering attack, others can also wreak havoc. Remind employees they might find social engineering scams across from them at customer service counters, on the other end of telephone calls or even sitting in nearby cubicles. Users should understand and be up to date on the ever-evolving techniques of social engineers and how cybersecurity best practices can frustrate those efforts.
• Password hygiene. Employees who reuse passwords across multiple apps risk exposing corporate credentials if, for example, a consumer retailer where they shop suffers a security breach. Awareness programs educate team members about these risks and impress upon them the importance of following their companies' password policies. At a minimum, every user should create a strong, unique password for each application and site they use.
  
  Many organizations have addressed password security concerns with the implementation of multifactor authentication (MFA), but not all systems support it. And, in some cases, cybercriminals have found ways around MFA. Even so-called passwordless systems typically store users' backup passwords in case normal authentication mechanisms fail. Regardless, password hygiene remains critical.

While training should be current and fresh, that doesn't mean organizations need to explore exotic topics. All the advice above fits into the category of "oldies but goodies."

Most security breaches occur as the result of simple threats. Effective cybersecurity awareness efforts must find new ways to engage employees in basic cybersecurity practices.