Gaining the buy-in from executive leadership and employees within your organization to conduct phishing as a form of security awareness training can often be a daunting task. Proper training programs are extremely effective in conditioning employees to identify threats, yet security teams we speak with are often met with a lot of resistance. Employees feel that the simulations are deceitful and used to point fingers.
If you are faced with these objections, read our post on Hitting Back at the Security Awareness Training Naysayers for why high quality security awareness training is far from a waste of time and money, and how it truly enhances the knowledge and behavior of your users.
To shift mindset within your organization and take ownership in the role they play in your organization’s security posture, IT Security teams must shift their set of beliefs as well. You cannot “patch” your users. As humans you must appeal to their emotions to convince them to make a change in their behavior. Here are steps we recommend:
- Kick it off right- Present the details of the new program and phishing basics so that they don’t feel in the dark. One CISO we spoke with gave out bags of Swedish Fish to sweeten the first day!
- Relevance- Provide specific actionable tips in training material (i.e. hovering over links) that will benefit employees while on the company network or on their own
- Good content- Security Awareness PowerPoint presentations should be a thing of the past. Security is what your passionate about, make it fun and get creative! A lot of companies are using gamification to engage their employees (i.e. The first person to report a phishing simulation gets lunch on the company.)
- Positivity- Reward good behavior and empower those that fell for the simulation to improve by focusing on what they can do differently next time.
When you are successful in conditioning employees adopt good cyber hygiene, they provide increased visibility into the threats targeting your organization. You can also check out our previous post Five Stratgies to Motivate Your Employees to Behave More Securely to learn how people can change their behavior, which when done effectively, can be even more effective than programming.
How have you gained employee buy-in for your Security Awareness Program?
It's now the time of year when budgets for 2017 are being developed, and what a perfect time to build a business case for truly effective security awareness training. Here we have provided a handy guide to the components you need to build your business case.
There's more to come this week on security awareness training; sign up for our blog and receive alerts on our Security Awareness Month series. We will also enter you for a chance to win a #PhishRage t-shirt.