Staff awareness training is an essential component of the GDPR (General Data Protection Regulation), but do you know how it works in practice?
Here are seven things you can do to make your awareness programme a success.
1. Consider your requirements
There isn’t a ‘one-size-fits-all’ approach for staff awareness training. Every organisation needs to tailor its programme according to several factors, the most obvious of which is size.
The fewer employees you have, the more hands-on you can be, and the more time you have to make sure everybody understands what they’re doing.
The flipside is that fewer employees generally means fewer resources, making training options more expensive per person than they are for larger organisations.
You will also need to plan your training courses more carefully, as small organisations can’t afford to have a dozen or more people out on training at the same time.
2. Set metrics for success
It’s no good implementing a staff awareness programme if you don’t know whether it’s working. That’s why you need to set measurable goals.
For example, you might say that over the course of the year you want a certain percentage drop in security incidents caused by human error, or set a target of zero successful phishing scams.
Ideally these numbers will have some correlation to your existing information security levels, but that requires you to be keeping track of these things already. Many organisations don’t do that, but you can get around that problem by setting short-term goals.
Staff awareness training takes time to work, so you can see where you are after one month, then two, then three, and set long-term goals from there.
3. Be thorough
There’s a lot more to staff training than sitting your employees down and lecturing them about information security risks.
Rather, it should be a detailed, ongoing process in which you show employees how risks can arise and explain how your policies and processes tackle them.
4. Engage your staff
As with the last point, staff training shouldn’t simply be an exercise that employees sit through, with the organisation expecting everybody to remember every point that was made. It should be an ongoing process that forms part of your organisation’s culture.
Engaging staff in a variety of ways is essential to that process, and people learn in different ways. For example, some prefer listening, whereas others prefer information to be written down or represented visually.
Organisations should use as many of these approaches as possible. E-learning courses are great for interactive study, posters provide visual guides, and email updates on policies are both useful and easily accessible.
5. Focus on behaviour, not knowledge
It’s one thing for employees to ace an exam, but it’s something else entirely to have them demonstrate their knowledge in practice.
The clearest example of this is phishing: most people can spot scam emails in exam settings, but when they’re at their office on a busy workday, they’re liable to click a malicious link or attachment without questioning its validity.
To bridge the gap between knowledge and practice, organisations should contextualise what they’re teaching and create roleplays or case studies that are as realistic as possible.
For example, you can test your staff’s ability to spot phishing emails with a simulated attack.
6. Time it correctly
Staff awareness takes time to get right. There’s little to be gained from rolling out a programme as soon as possible, because you’ll end up with flawed exercises that don’t achieve maximum results.
You’d be better off focusing on one thing at a time, deploying it when it’s ready, and refining your programme based on its success.
7. Be patient
As we’ve said before, you shouldn’t expect drastic, lasting changes overnight. That’s because you’re trying to fix your employees’ bad habits, which takes time.
The key is to trust the process, continuing to provide training and other practices even if the short-term improvements are minimal.
Staff will gradually become accustomed to the new way of thinking, and will be more adept at following your guidance.
Deliver cost-effective GDPR training to your staff
Our GDPR Staff Awareness E-learning Course enables you to deliver GDPR training to your staff in a quick, affordable and effective way.
The course aims to provide non-technical staff with a complete foundation on the principles, roles, responsibilities and processes under the GDPR, reducing your organisation’s risk of non-compliance.
A version of this blog was originally published on 7 December 2018.