Johna Till Johnson
March 10, 2017
The recent success of Ransomware as a Service (RaaS) attacks has thousands of companies facing systematized extortion. The enterprise facing the decision of whether “to pay or not to pay” can usually thank an unaware employee—even a CEO—who fell victim to the oldest cybersecurity ruse, the phishing email.
The best defense against cybersecurity threats is a security-aware culture that permeates the entire organization and which touches anyone on the network—from the board to the lowest intern. For this culture to reach beyond the IT security team, enterprises must implement targeted and sustained security awareness training.
Best-of-the-best security organizations consistently rate security awareness training as a top challenge. Yet when it comes to budgeting, companies often give training short shrift. The training budget and other factors will influence how a company approaches training.
Whether a company develops an in-house security awareness training program or opts to outsource to a third party, the steps must remain the same: assess, plan, develop, implement, monitor and maintain.
- Assess the company’s training needs: This involves interviewing employees and leaders to rate their knowledge of security issues and best practices, as well as their willingness to learn and their learning styles, via interviews, questionnaires, and even personality tests like Myers–Briggs.
- Plan: Make a list of training topics, prioritized to most-urgent training needs. Decide whether to train in-house or to hire a third-party training vendor.
- Develop a set of custom modules, each module addressing a specific training need and goal, and testing and metrics to go along with each module.
- Implement: roll out the training program modules, testing, and metrics.
- Monitor and maintain: gather regular feedback to determine the program’s effectiveness and to drive updates to it. Effective feedback methods include surveys, short online refresher videos, and community engagement.
If a company lacks the time or manpower needed to implement the above steps, increasingly many third-party companies specialize in customizable training.