You already know that security training is important. You can have all the technical safeguards implemented, but they can’t protect against every cyberattack. So, the best course of action is to have a robust training program for you and your employees.
We recommend cybersecurity training programs that include the following:
So let’s say your training program is underway. And you have your first set of training results.
Let’s say you have 12 employees, and the results look something like this:
First, let’s talk about what NOT to do:
So, to sum up, don’t shame people, but don’t ignore the results either.
Ok, so what should you do with cybersecurity training results?
For employees who do well with the monthly cybersecurity training and phishing simulations - you need to recognize and encourage them.
By far, the most effective way is to make their performance part of the calculation of year-end bonuses and/or raises. This leaves no doubt in people's minds that it's an important priority, but personally and at the company level.
Let them know verbally or via email that they did well with the training and thank them for their efforts. A smallish $20 gift card would be a delightful addition as well! Remember that positive reinforcement is powerful.
Now for the hard part - addressing the employees who performed poorly.
Looking at the results above, if someone has high scores in the monthly training, but performed poorly in the phishing simulation, it might be best to have a quick conversation.
“That last phishing simulation was tough, wasn’t it? What did you think?”
And see what they say. Here’s where it might be helpful to point out any red flags that you noticed in the phishing simulation.
And finally, what about employees who perform poorly in monthly training and phishing simulations?
There are a few ways you could address your poorest performers:
Make sure that people who perform poorly know that someone very senior in the company is seeing it.
The CEO calling a person to say "hey, what's up with your training results." Is going to be most effective. As you work your way down the seniority line (CXO → Director → Manager), it gets less effective. Having general functions like HR, compliance, or legal do it is better than nothing, but certainly doesn't reinforce the "this is critical to the company."
Some companies bring together people who do poorly for additional cybersecurity training. Rather than being generic training like most monthly videos are, this is more targeted to the people and their job functions. It can be offered as a stick ("you did so poorly you need more training") or a gentler approach ("we're having a group meeting to figure out why some people are struggling to get this wrong.").
An important consideration is the job function of the people who are doing poorly. A financial advisor on an iPad is less worrying than the CFO on a Windows computer. Larger companies would actually consider changing someone's job duties or access to systems if they keep getting things wrong, but that approach won’t work for every company.
Cybersecurity training is important. But how you address the training can impact how your employees perform in the future. If employees fear getting in trouble, they may get flustered and react poorly by clicking on an actual phishing email link!
Recognize your top performers and encourage your poor performers. Work with them to improve by starting a conversation and providing additional training if needed. Your employees are your last line of defense when it comes to phishing emails and other cyberattacks.
If you need help with employee security training, we can help! We work with firms in highly-regulated industries like financial services, healthcare and government contracting. Contact us for more information.