By Delaney Moore   /   Apr 7th, 2020

4 Key Components of Effective Security Awareness Training for Employees

Cybersecurity is a never-ending battle, and many organizations don’t realize that their employees are the first line of defense. At LMG Security, our team has been providing cybersecurity services for more than a decade, and we have found that a lack of security awareness training for employees is frequently the cause of incidents and major breaches. It is a critical pillar of an effective, holistic security program.

Four Tips for Providing Effective Security Awareness Training for Employees

1. Focus on the Fundamentals and Be Relevant

Training content should be focused on the trending threats most relevant to users, rather than trying to cover several topics of varying complexity at once. Most individual are going to take more away from a cybersecurity awareness training that focuses on a handful of key threats (and best practices) they are most likely to encounter in their daily workflows or personal life. Fundamental topics to cover in security awareness training for employees include

  • Phishing – Phishing continues to be one of the most common attack vectors, mostly because malicious actors know how easy it is to trick employees into downloading attachments or clicking malicious links. Phishing is one of the most common causes of an incident and one of the easier to prevent with security awareness training for employees. Walk through examples of phishing emails with employees, including ones that are easy to identify as being phishing attempts and ones that are more sophisticated. Inform employees about common strategies like “spoofing” emails or domains, and what it actually means to slow down and examine the “From”, hover over links, and dissect URLs and identify domains. Better yet, provide regulary training for your employees. We offer turn-key, managed cybersecurity awareness training for employees that includes phishing simulations.
  • Strong Authentication: Authentication is often one of the first lines of defense, especially with the expanded use of cloud solutions and today’s rampant business email compromise attacks. A complex, 8 character password is considered strong to most users, and storing passwords in a Word document or plaintext list on their smart phone is typically viewed as relatively harmless. When covering the topic of authentication, emphasize the idea that Longer is Stronger (16 characters or more), use of multifactor authentication, and the importance of never using the same passwords for business and personal accounts. Inform users about available password managers and how they can be used to create and manage unique passwords across accounts. We offer a free password tips sheet you can share with your employees.
  • Acceptable Use: While many employees are instructed to read an Acceptable Use Policy during onboarding, we often find that there is little ongoing communication or reminders about what the policy states. As a result, the rules and guidelines from an Acceptable Use Policy are not well known or understood by users. Whether or not such a policy exists or has been provided during onboarding, security awareness training for employees should still cover the key rules and expectations for security regarding use of personal devices, cloud applications, removable media, file sharing, and remote access or working arrangements.
  • Social Engineering: In addition to phishing, users need to be aware of other common social engineering techniques such as individuals impersonating members of the IT group or other sources and requesting passwords or other sensitive information via phone or in person. Ensure your security awareness training for employees informs users about the simplicity of “spoofing” internal numbers, the steps for verifying and/or reporting suspicious callers and visitors, and that it is OK to be skeptical. Nice guys or gals aren’t always so nice, and many of us are too worried about being rude or sounding paranoid, but that’s exactly what malicious actors are counting on. Employees should verify the request by an alternate form of communication, such as a text, email or call to confirm the request.
  • Reporting: While this might be obvious, it is extremely important. Users should be informed and reminded of when, to whom, and how they should report suspect or known security events or incidents. Another key point to stress is the importance of not being too scared or embarrassed to report it if they have fallen victim to a phishing email or other common attack. It happens, and the situation can end up much worse if it isn’t immediately acted on. Time is of the essence.

2. Explain the WHY and the HOW (Not Just the NO)

While it’s important to emphasize points like “don’t click links”, “no weak passwords”, or “don’t send XYZ through email”, it’s equally important to communicate the why behind these rules, as well as offer secure alternatives. In other words, effective security awareness training for employees should inform users about what they can/should do and how they can do it securely. For instance, cover the alternative, more secure methods for sharing files if sending them via email is not permitted. If you have prohibited connecting to public/free wireless, then go over how they can obtain a secure network connection, such as using the company VPN.

3. Include Examples

Most of us are more likely to remember stories and images. People learn best from multiple examples and putting things into practice. Effective security awareness training for employees should include examples that not only help drive home key points and concepts, but also keep participants engaged. Include different examples of phishing emails and malicious links, news stories or other real-world examples of incidents or breaches, and/or videos or images showing how different attacks or infections playout, whether it’s malware or ransomware. We find examples are especially helpful when it comes to phishing emails, as it shows the varying degrees of sophistication and the common tricks that are used. After covering topics like phishing, we often have participants put things into practice and determine whether examples of links and emails are safe. This not only keeps people engaged, but can also spark friendly competition among attendees and allows people to ask clarifying questions about why something was safe or unsafe.

4. Create a Judgment-free Space

From our experience conducting training sessions with different types of organizations and groups of participants, we’ve found that individuals are often hesitant to speak up and ask certain questions, and instead prefer to ask their questions privately after the session has concluded. There tends to be a common misconception that questions or concerns might either be silly or obvious, or that they should know the answer like the rest of their colleagues do. We try to make sure participants understand that this cybersecurity stuff isn’t necessarily easy and straightforward, and not necessarily obvious to the majority of individuals. Most of your colleagues have the same questions and concerns that you do. Make sure you set the right tone during training sessions, and emphasize that it is a safe, judgement free space.

While there are a number of attributes and key factors that contribute to effective security awareness training for employees, consider these tips when planning and facilitating your next training session.

If you need help designing effective security awareness training for employees, contact us to design a custom training session for users, executives or IT staff. If you prefer automated, online training, check out our cybersecurity awareness training options.  








About the Author

Delaney Moore

Delaney is a Senior Security Consultant with LMG Security.  Delaney’s focus is within LMG’s Compliance and Advisory services, where she assesses organizations’ security programs using well-known  frameworks such as the NIST Cybersecurity Framework and ISO 27001, and assesses their compliance with regulatory standards such as the HIPAA Security Rule.  Delaney is experienced in both onsite and remote social engineering, cybersecurity policy and procedure development, vendor risk management, and facilitating security training exercises such as incident response tabletop exercises. She holds her bachelor’s degree from the University of Montana in Management Information Systems, and is a Certified Information Systems Auditor (CISA).