3 things every employee needs before you put them in a security awareness program
Employee's and Security Awareness Programs
What is training going to look like?
Is phishing assessments happening? Why and what should they do?
What communication can users expect?
Who / what will be reaching out
I have watched 100s of security awareness programs start without a hitch, and I have watched a few others that caused unintentional confusion and additional support. Here are the three things an MSP needs to communicate to their client's employees before launching a security awareness program.
What is the training going to look like?
Security Awareness is a unique space in cybersecurity because it is one of the only pieces of the cybersecurity program that every employee will get to see. It is paramount that you, as the cybersecurity expert, explain to the people who are participating in the program what kind of training they can expect. This will help them manage not only their expectations but also help them understand what expectations their leadership might have of them.
It is beneficial to describe the general content up front, the training format, and how often / how long their training will take. A statement as simple as “… some of the training you will take will be general security awareness such as recognizing social engineering and how to store sensitive information properly. It will be no more than 6 minutes long with a few quiz questions after and will be delivered approximately once a month”
Are phishing assessments happening? Why are you phishing, and what should you do?
At the end of the day, it can be hard to communicate, “We do this because we’re required by checks notes cyber insurance policy / popular security framework.” However, what can be communicated are the results you’re looking to create. Saying, “We will periodically send fake phishing emails that will be used to test alertness, never to punish. Mistakes will happen, and that is perfectly fine! Don’t sweat it! But we should all aim to get a little better every day. Please remember, when you mistakenly fall for a phishing assessment, it’s okay. Take the short training, and learn from the mistake! We’ll be here the entire time to help you along the way.”
BONUS: With Phin, we have created a concept for immediate training you can see here: https://youtu.be/4hTTn3-RKZA?t=215. Think of it as a personal trainer for your employees instead of at-home workout videos. Educate in 15 seconds on what they missed and help the employee build a habit they can take with them moving forward.
What can users expect, how can they access training, and how do they know it’s not a phish?
Perhaps the most significant hiccup to an otherwise smooth rollout is when enrollment emails get sent out, and everyone reports them as phishing emails. On the one hand, good on the employees, on the other hand….. a lot of support tickets. We have started educating our partners to communicate precisely what employees can expect, even going so far as to provide the exact email templates into which you can fill your information.
Here is what works best: Send an email (make sure it comes from a trusted source, ideally a stakeholder or leader of the client) that introduces the training and why it’s crucial for employees to complete it. In this email, include EXACT pictures of what the emails will look like, where they come from, and what they will direct the employees to do. Like this:
“The emails will look like this (include picture); they will come from firstname.lastname@example.org or email@example.com always, and will ask you to click a link that you can see in this image here to log in and complete training. When hovering over the links in these emails, you will always be directed to recognizabledomain.com. We will NEVER send a phishing test from any domain like this, and we will never ask you to visit any website other than recognizabledomain.com. If you ever suspect someone is attempting to phish you like this, please report it.”
Communications as simple as this, when delivered ahead of enrollment notifications and phishing assessments, have always reduced headaches and have allowed for a smooth rollout.
Any additional questions to ask? Anything specific you would like our expert opinion on? Reach out to Phin and book some time with us or send an email.