Everyone in your office needs some type of Internet security training. But nobody ever really likes going to training sessions because they’re often kind of dull and discuss worst-case scenarios that people often doubt will ever occur. Of course, you know that these worst-case scenarios can and do occur all the time, and you want your team to be prepared. Still, you don’t want to shove anything down anyone’s throat. That will only lead to more resistance.
So, if you schedule an event to teach people about Internet security, make attendance optional. And with that, chances are, you’ll only have about 5% of your office population show up, and that 5% will consist of, primarily, the people who need the training the least. Why conduct a study in futility? There are easier, more effective ways to provide your employees with Internet security training and establish the kind of good habits that will make your business less vulnerable to either internal or external cyber threats.
Here are six steps to a successful Internet security awareness training program:
1) Formulate and make easily available a written Security Policy. Each employee needs to read the document and sign it as an acknowledgment of his/her understanding of the policy and a promise to apply it.
2) Give all employees a mandatory (online) Security Awareness Course with a clearly stated deadline. It is highly recommended that you explain to them in some detail why this is necessary.
3) Make the Security Awareness Course part of the onboarding process of each new employee. This sets the tone right away, making it easier for new employees to adopt the good Internet security habits that you want them to practice.
4) Use regular, periodic testing to keep employees on their toes and security top of mind. Sending a simulated phishing attack once a week is an extremely effective way to keep them alert.
5) Never publicly identify an employee who fails a simulated attack. Let the employee’s supervisor or HR take this up privately. Give a quarterly prize for the three employees with the lowest ‘fail-rates.’ Competition motivates people far better than humiliation does. Survey your employees to find out what prizes they would most like to have. This increases their sense of motivation because they’ll be competing for items that are of real value to them.
6) If you use posters, stickers and/or screensavers, change the pictures or messages monthly. After a few weeks, people simply don’t ‘see’ them anymore. It’s more effective to send them regular ‘Security Hints & Tips’ via email. You could further engage your employees by inviting them to share their own hints and tips such as mnemonics that they use to memorize passwords or lists of rules such as how to recognize phishing scams, etc.
You know it’s important for your employees to have Internet security awareness training, but you also know that training classes just don’t work sometimes. So, you’ve got to get creative in order to eradicate those bad habits that have the potential to ruin your business and put your employees out of work.