Organisations and employees often think of staff awareness training as a hassle. Work grinds to a halt as you’re hauled off to a meeting room and lectured about stuff that probably doesn’t even affect you.
Except that it does. Human error was the primary cause of 46% of data breaches last year, according to Verizon’s 2018 Data Breach Investigations Report. Most of those incidents are related to basic mistakes, such as misconfiguring databases, sending information to the wrong person or falling victim to social engineering attacks.
These are constant threats to anyone who has access to the organisation’s systems, handles sensitive data or uses work email address. If everyone was aware of the importance and relevance of security awareness training, they’d probably take it more seriously.
But how can you do that, besides sending your employees off to a training course? Here are five options.
1. E-learning courses
You can’t avoid training altogether, because it’s simply the best way of providing a lot of information to multiple people in a limited amount of time, but e-learning makes the process as convenient as possible.
All your organisation needs to do is purchase an e-learning package and share the access code with staff, who can then take the course at a time that suits them.
You don’t need to coordinate a session across departments or suffer an organisation-wide drop in productivity, because staff will naturally take the course at different times, and they can even pause and resume the training if something urgent comes up.
2. Campaign posters
Posters bring staff awareness into the day-to-day work environment. Unlike other methods of staff awareness, posters aren’t something you stop work to do; you can see them from your desk or as you enter or leave the office.
Of course, posters alone will have a limited impact, but they are great supplements to training courses or books, which provide more in-depth information.
3. Email signatures
As with posters, email signatures are a great way of providing information security reminders to employees as they work.
A banner or catchy message will be seen whenever an employee receives an email, and although we doubt anyone would stop to read the signature every time, it plants a seed and subtly introduces a culture of security.
4. Pocket guides
Nothing can replace the depth of knowledge that you can get from a book. Not everyone will have time to read a 300-page tome covering the ins and outs of information security (and most of the information will only be relevant to a few employees), but pocket guides provide a lot of the same information in a much more accessible format.
They make for great introductions and reference points, as employees can keep the guides handy, make notes and refer back to them if there’s something they’re unsure of.
5. Simulated phishing attacks
Phishing is arguably the single biggest external threat that employees should be concerned about. Microsoft’s Security Intelligence Report Volume 24 found that the number of attacks rose by 250% in 2018, with employees increasingly unable to spot malicious emails that claim to be from legitimate senders.
You can assess how serious the problem is in your organisation by conducting a simulated phishing attack. This is a company-wide email that mimics a phishing email in every way (minus the malicious payload). You’ll be able to track how employees responded to that message and plan your remedial actions accordingly.
Repeating simulated attacks and logging the results is a great, practical way of testing whether your awareness training measures work.
Get your staff awareness project started
If you’re interested in implementing these measures and more, take a look at our Security Awareness Programme service.
One of our consultants will review your organisation’s requirements, recommend solutions and provide you with all the tools you need to get started.
The approach enables you to tailor your awareness programme to your needs, and because you are building the system from the bottom up, you can be sure that everything has a specific purpose.