How to Build a Security Education, Training, and Awareness Program

January 22, 2019 Eric Dosal Eric Dosal

Protecting your business’ most sensitive data takes more than just having the right cybersecurity tools—it takes having well-educated, cyber-aware employees at all levels of the organization. In fact, according to data cited by CNBC, “47 percent of business leaders said human error such as accidental loss of a device or document by an employee had caused a data breach at their organization.” This statistic simply highlights how important it is to train employees in network security to prevent the kinds of basic mistakes that lead to data breaches.

This is where a Security Education, Training, and Awareness (SETA) program comes into play. SETA programs help businesses to educate and inform their employees about basic network security issues and expectations—helping to prevent commonplace cybersecurity mistakes that lead to damaging data breaches.

However, how can a business build a security education training and awareness program that will make an impact with employees? After all, simply sitting everyone in the company down for a one-time lecture might boost cybersecurity awareness for a little while, but people will quickly fall back onto old habits after the training is done.

Here are a few suggestions for building a network security education program for your own business:

Step 1: Define Your Network Security Education Goals

Before you begin contacting cybersecurity experts and lining up presenters to give seminars at your company’s offices, start by defining the exact goals you want your security education program to meet. Be sure to make these goals are specific, measurable, achievable, realistic, and timely—as in the SMART goal framework.

For example, saying that you want to “raise cybersecurity awareness” in the organization is a decent start, but not a great goal for making long-term progress. Instead, something more specific, such as “eliminating the use of weak passwords by 50% within six months” or “reducing phishing attempt success by 50% or more” creates objectives that can actually be measured.

Step 2: Assess Your Audience

Not all employees have the same level of knowledge when it comes to cybersecurity. When creating your security education, training, and awareness program, it’s important to assess the overall knowledge level of your employees before shoving them into a “one-size-fits-all” network security lesson.

After all, information that is new, valuable, and interesting to one employee may be boring and remedial to another employee. Likewise, concepts and jargon (like the “phishing” term used earlier) may be familiar to some but confusing to others.

So, when starting a SETA program, try to start with an assessment of your organization’s overall cybersecurity knowledge. This could mean sending out surveys asking people how comfortable they are with cybersecurity topics, or even actively testing employees by sending fake phishing emails or handing out quizzes if need be.

This helps you establish a baseline for your company’s security education and awareness needs—including specific areas of concern that may need to be addressed company-wide. At the very least, this assessment can help get people in the company thinking about network security and the part they play in a cybersecurity strategy.

Step 3: Develop SETA Program Topics Based on Critical Issues

After identifying the biggest cybersecurity knowledge gaps in your organization, you can start to create lesson topics designed to address those gaps. For example, if a lot of people are falling for fake phishing emails, you could start to prepare SETA program topics about phishing attacks to keep real attacks from succeeding in the future.

Many organizations choose to use employee learning platforms to develop their training resources instead of creating these resources internally. This can be helpful because the platform provider may have more in-depth knowledge about how to create engaging and informative cybersecurity learning content. Also, it helps free up the time for people in the organization to focus on their jobs—driving results for the company.

Step 4: Consider How You’ll Distribute Security Education to Current and Future Employees

How you choose to distribute cybersecurity training to your employees may depend on the size of your company. If your business is operating out of a single set of offices, simply putting an “all hands on deck” meeting on the books and knocking out some security education there might be enough. Larger organizations might need to establish a more comprehensive security education training and awareness program that utilizes online training modules to efficiently distribute learning content to people throughout the organization.

One advantage of some digital employee learning platforms is that they allow you to segment your employees by role. This allows each employee to receive the most valuable training for their specific role and needs rather than putting everyone through the same “cookie-cutter” courses. This helps keep lessons more interesting so employees benefit more from them.

The best SETA programs are never treated as “one-and-done” network security seminars. Instead, they help ensure that every employee is fully aware of cybersecurity issues and how to handle them. As such, it’s important to consider how you’ll deliver your company’s SETA program resources to all of your existing employees as well as any employees who join the organization in the future.

Setting aside training time during the new hire onboarding process can be a good method for ensuring all new employees enter the company with a set baseline of cybersecurity knowledge. Additionally, holding some “refresher” SETA training at least once a year can help ensure that your employees’ cybersecurity knowledge remains up to date with new threats (and keep cybersecurity top of mind for your employees).

Need help developing your own internal security education, training, and awareness program? Reach out to the team at Compuquip Cybersecurity for advice today!

back-to-cybersecurity-basics