CIS Logo
tagline: Confidence in the Connected World
HomeResourcesBlog post • Keep Your Employees Interested in Cybersecurity Awareness Training with these Tips

Keep Your Employees Interested in Cybersecurity Awareness Training with these Tips

By Sean Atkinson, Chief Information Security Officer

CISO blog

As organizations work to make internal company processes and personnel more secure it’s worth asking, “Are we doing enough?” Rehashing an annual awareness training or a yearly email phishing campaign may not be enough to thwart ever-evolving attacks and nefarious activity.

Get interactive!

To combat “training fatigue,” which can lead to users not practicing what is preached as best controls, it makes sense to implement more interactive methods of cybersecurity policy awareness and training. These come in many forms:

  • Phishing campaigns: Conducted by an internal “red team,” internal phishing campaigns can train employees to spot and report suspicious emails they may receive.
  • Desktop/tabletop exercises: These cybersecurity exercises help employees learn how they would handle an incident such as a DDoS attack or website defacement.
  • USB drops: Are your employees trained to handle a mysteriously-found USB device? Find out with these exercises.

Be sure that these training methods aren’t simply tested and then forgotten; cybersecurity awareness comprises continual processes of integrating behavioral change into the business process. While technical controls can significantly improve security posture – implementing SPF, DKIM, or DMARC to reduce the risk of a successful phishing campaign, for example – it is important that the technical controls are not the only assessment performed against your organization. In addition to conducting training and awareness programs, managers should invest in understanding the analytics resulting from these programs.

To learn more about implementing a security awareness program, check out CIS Control 17.  

Improving privacy and awareness

Particularly as we approach the May 25, 2018 GDPR enforcement date, it’s essential that organizations implement security in the form of role-based access controls (RBAC). Privacy, a key component of GDPR, has become a highlighted requirement for organizations, especially those who manage and safeguard personally identifiable information (PII). Each industry (healthcare, finance, academia, etc.) maintains data that requires a form of protection. As this data becomes more integrated across business units and functions, knowing what types of data you’re managing will allow specific training programs to be built.

Download the white paper, Are You GDPR Ready?

Often, awareness training requires multiple approaches. For example, you might conduct a phishing exercise against a particular department or utilize a multi-email phishing approach for the whole organization. This can allow the organization to more authentically gauge clicks, versus the exercise-defeating murmurs of “Hey, don’t click that!” which can spread through an office quickly. You’ll also want to take into account different learning styles. For some, a PowerPoint may be enough; others might require a more hands-on approach to security training. A strong training program will comprise multiple approaches to cover a variety of training techniques and learning styles.

Join the discussion

What has proven effective for your organization’s cybersecurity training and awareness?

Is the only method to change behavior getting caught or scammed, or can we effectively simulate such a scenario to make those ‘once bitten, twice shy’ more cautious without the bite?

Let us know what you think on Twitter: @CISecurity