After months of talks, budget approvals, and getting stakeholder buy in, you finally have the security awareness tool of your choice ready to be used. You get some welcome emails, an onboarding conversation with a customer account manager, and then…..?
Wait, what does come after you’ve got your tool in place? Some systems have suggested programs to follow and timing and others leave it entirely in your hands. You’ve gone from procuring a platform to now having to fully manage the training program that needs to reduce the impact of cyber security threats to your employees. No pressure! So what does day two of this process look like? Let’s dig in.
Learning the Tool/Platform
You’ve got a new platform at your disposal, and now it’s time to learn how it works. After a brief onboarding process, typically you are then left to your own devices. Unless implementing training programs is a bit of specialty for you, that means it’s more than just enrolling users, it’s identifying what content is most suitable, creating content that doesn’t exist in the library, developing reports, and tracking progress. This may not sound like much, but it does add up quickly, especially when it comes to managing all of the users.
Building Out a Curriculum
Even if the supplying SaaS vendor has some templates and suggestions, ultimately the success of the training program is dependent upon the training lead. For many, this may be a program that occurs quarterly, for some only once a year, and for even fewer on a monthly basis. That means users need to retain the information, report more suspicious emails and content, and of course not accidentally click on a malicious link or attachment.
It’s even possible that you’ve stumbled upon this article in your research for developing said program. With a program developed, you can then adapt the training tool and its content to your organization’s needs.
Although there are numerous ways to manage a security awareness training program, we suggest a prescribed curriculum because users learn and retain information better as a result. These programs are designed with the organization's policies and requirements in mind. For example, we use pre-set, monthly programs, where a user is actively interacting with training content in microlearnings, which in turn reduces risk and an increase in user-reported suspicious content. Without repetition, there is a greater likelihood of failure, and certainly less suspicious content being reported between trainings.
No, Simulations Are Still Not Training
In our not-so-scientific Twitter poll, it was found that many organizations try to replace training with simulations; however, that's not an accurate approach. Simulations are designed to test a user, not reinforce knowledge.
Now that you’re the master of the SaaS platform and have a program in place, it’s time to decide how to test your users. Don’t make the mistake of using simulations in place of frequent and engaging training to change user behavior. Simulations test the knowledge users gain in their security awareness training efforts. If they accidentally click on a link, they should be tasked with re-learning the training and then tested again.
Like the training content, you still need to identify or create the best simulations for the job. For most tools this consists of picking a few simulations out from a library, testing them a few times throughout the year, and tracking the results. In a modern security awareness training program, these simulations should reinforce the learnings from the training, creating a more connected experience that sheds light on potential weak points in your users.
Identifying and Tracking Success Metrics
Hit a button and out pops the report. It should be that easy, and in most cases SaaS-based training tools make that a reality. Before any of that happens, your organization first needs to identify what success metrics should be tracked. In security awareness training, it’s far more than just click rate (or lack thereof) in phishing simulations. A successful security awareness program will track user behavior, show signs of improvement, and of course see a reduction in links clicked in simulations.
Benefits of a Managed Program
If this sounds like a lot of effort that’s because it is. In some organizations they don’t even have a dedicated training lead, which means they have to balance their day-job tasks with managing thousands of users and assisting them to be more security vigilant. That is a great deal of pressure. In the past 15 years of detecting, analyzing, and taking down phishing threats, we’ve found that the best way to instill security vigilance is through a prescriptive, science-baked education model.