real time web analytics

The 7 Steps to DIY Security Awareness Training

Patrick Murray
2019-02-266 min read
InfoSec Best Practices

The Biggest Threat Vector

It’s a well-documented problem that your employee is one of the primary vectors for cyber attacks. Between phishing attacks, poor password policies, and lax access privileges, the employee was directly or indirectly responsible for the lion’s share of data breaches in 2018. According to a recent report by Ponemon Institute, 52% of data breaches were caused by a negligent employee or contractor in 2017.

Companies are attempting to solve the problem with employee awareness training, but it can be a challenge to maintain. Doing one time group training is the norm, but this does not scale well as new employees are onboarding continuously, InfoSec policies are constantly being updated, and security teams are stretched thin due to the shortage of skilled security talent and a growing list of responsibilities to secure the organization.

A DIY Guide to Implementing Security Awareness Training

When faced with such a dilemma, a combination of practical planning and automation can help make your life a lot easier. By following these 7 Do-It-Yourself steps, you can create an employee cyber security awareness training program that essentially runs itself.
    Step 1: Assess your reasons for employee training. Is it for compliance with a security certification such as SOC 2 or regulation such as GDPR? Or perhaps you have had a recent breach from phishing or lax passwords, and you wish to enhance security.
    Step 2: Define your InfoSec policies that are employee-related. These include everything including password management, encrypting their laptops, enabling 2FA on apps, secure email practices, etc. Unsure on what policies you need? Tugboat Logic’s Virtual CISO Platform has prebuilt policies and controls so you don’t have to research or write them.
    Step 3: Deliver awareness training to employees. Once you have defined your policies, you need to deliver training at least once per year to ensure it is kept up to date. Doing in-person training is time-consuming and costly. Instead, consider using an automated security awareness training system that invites employees to a self-conducted training portal, tracks completion rates for compliance, and can automatically conduct recurring training once per year for all employees.
    Step 4: Test training effectiveness. Once awareness training is complete, there are several tools out there to test the effectiveness of some of the elements of your training. For example, there is a free tool by Google/Jigsaw that tests a user’s awareness of phishing emails. Another example is admins can remotely check if two-factor authentication has been enabled on all enterprise apps.
    Step 5: Prove your employees are security aware. If you are looking to be compliant, a key requirement is proof. Be sure to have a central system of record to track which users have, and have not completed training that you can show to auditors and/or regulators. Again, you can make this easier to maintain by using an automated system that tracks who has completed training and can send reminders to employees to complete training if they have not.
    Step 6: Schedule recurring training. Most security certifications will require employee training annually or whenever there has been a material change to the InfoSec program. Ensure all new employees who may have missed the annual training are trained as well. Having a centralized system that automatically tracks training renewal dates for you will make this less time-consuming and confusing to maintain.
    Step 7: Keep your training material up-to-date. As you make changes to your InfoSec policies, you will need to update your training curriculum. With all the things on your plate, this step is easily lost in the shuffle. You can reduce the headache of updating content by using a system that automatically updates your training content when you change the associated InfoSec policies.

Virtual Training with a Virtual CISO Platform

Creating and maintaining a cyber security awareness program can be quick and easy if you leverage work you have already completed, and use an automated system to deliver that training. By using a solution such as the Tugboat Logic Virtual CISO Platform, you can create a training program instantly by pulling prebuilt policies from your InfoSec program as training content, invite employees to training automatically, and easily visualize who has completed training - all in one place. This will help you stay more secure and compliant by educating one of your biggest threat vectors - your employee.