No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

7 Considerations When Launching a Security Awareness Training Program

Bolstering Data Security by Addressing the “People Component”

by Perry Carpenter
December 16, 2020
in Cybersecurity, Featured
small businessman figure standing on black padlock

KnowBe4’s Chief Evangelist and Security Officer, Perry Carpenter, discusses how to protect your organization’s data from an often-overlooked risk.

Sponsored

Organizations set up all sorts of technology-driven safeguards to help them protect their own and their customers’ data. These investments are often well worth it, but they’re not enough. Technology safeguards don’t address one critical risk that every organization, regardless of size or industry, has: its people.

Let’s take a look at seven considerations for launching a security awareness program that accounts for the important “people component” of security awareness.

1. A Process, Not an Event

Most companies take time at least once a year to provide employees with training about how they can help protect the organization’s data. They pack people into a room and talk about security for a couple of hours and then check a box to indicate to the compliance office that they did it. And then they move on to the next thing.

Unfortunately, that’s not enough.

An annual in-service, a required webinar or even a great Cybersecurity Awareness Month series of events is not a security awareness training program. So, what is? A strategically considered combination of actions and activities based not just on information and policies, but on behavior.

2. A Focus on Changing Behavior

Security awareness is not information only. It’s information and behavior.

There will always be an information component to any security awareness program. If you’re a regulated organization, or you’ve got policies you need to expose people to, or if you need to expose people to the fundamentals of a scam or some critical nugget of information, there will be information that needs to be delivered.

But that’s really just a starting point.

An effective security awareness program will focus on changing behaviors. Testing is one way of doing this. For instance, running a phishing simulation that prompts the user to either click a link, report the phish, or do nothing and ignore the phish bait.

Here’s the thing: People need to be put in situations where they will have to make a decision that will determine if the organization gets breached or not. They need to be able to fail safely.

Simulations such as these are proven to help to change behavior over time. Frequent simulated phishing tests help build reflexes and muscle memory that drive behavior in automatic ways until those behaviors become habits.

At least every 30 days, you need to put employees in a simulated social engineering type of test, like a phishing test, to bring mindfulness to security protection actions.

3. Use Quality Communication Materials

What do the security awareness communication materials in your organization look like? If you’re like many organizations, they’re old documents that have been copied and recopied until the text is blurry and even members of the IT department don’t want to read them.

Security leaders will do themselves and their organizations a favor by committing to produce quality communication materials. Anything you put out in front of employees has to be as good as – or better than – what the organization typically produces. Otherwise, security will be seen as “less than” —an afterthought.

Take the importance of quality communication materials to heart. If you cut corners, if you strive for “good enough,” if you just quickly get stuff out there to say you did it, you create a bad reputation for security awareness and – by extension – your team.

4. Different Strokes for Different Folks

The problem is that different people process information differently. For instance, each of us browse through Netflix and gravitate toward certain types of content that matches our entertainment preferences. And as employees, we approach the information around us in the same way.

Different types of content, different styles, different lengths of time and a whole host of other considerations each resonate with employees differently. There is no one-size-fits-all piece of content. Relevant engagement is ongoing and individualized.

This can be accomplished through self-service learning options where employees can access the information and education they need, when they need it. Options can range from “Ask Me Anything” resources, entertaining webisodes and short webinars to policy collections and any number of other resources that are always available, easy to access and easy to consume.

Because there is no one-size-fits-all piece of content or approach, you also need to consider the learner’s role. Your customer service staff need different information than your IT staff in terms of security awareness. Training should be based on role and individual needs, not whatever training material is most conveniently at hand. People may have entirely different learning styles; some people respond better to three- or five-minute funny videos, others — executive-level staff, for instance — may find comic material condescending.

5. Focus on Moments of Need

Information should be delivered as close to the time of need as possible. The first need for security awareness happens when a new employee joins the organization. There are a wide range of other moments of need, depending on the employee’s role and function and the people they interact with. Other moments of need may include setting up a new password, sending a secure file transfer, learning the appropriate use of certain systems, etc.

What opportunities does your organization have to deliver just-in-time learning based on moments of need?

6. Multichannel Marketing Campaigns

How do companies communicate with their audience? Through multichannel marketing campaigns that use specific messaging for specific audience segments delivered through a wide range of channels to ensure awareness and repetition and, ultimately, to generate some type of action.

Your security awareness efforts should follow the same strategy.

You should have different types of content, being delivered at different times, targeting different audiences and communicated through various channels.

At the end of the day, you’re trying to change hearts and minds. That takes time and repetition.

7. Metrics, Reporting and Pulse Checks

To be effective at anything, we need metrics. Security awareness is no exception. We need to know where we are, how we’re doing and whether we’re closing security gaps.

There is also a need for surveys and assessments to know how well your content and training is resonating with people.

Think of these assessments as providing periodic pulse checks to help you understand some subtle nuances of what kind of culture you have within your organization.

Pulse checks help determine where the organization is at a given point in time. This information is subtly different than metrics because it gets into things that are harder to quantify, like opinion, frame of mind or preferences.

What Makes KnowB4 Unique for Security Awareness Training

Established in 2010, KnowBe4 is the world’s most popular security awareness training and stimulated phishing platform, servicing more than 35,000 organizations and some 25 million users. We use AI and machine learning to help systems get smarter by better understanding the nuances of how different people learn. Pluggable integration with traditional security tools is offered to provide behavioral insights. Customer-generated, real-world phishing examples are folded into our simulation platform. Communications are adapted based on the ways individual employees behave, the types of risks they can expose the organization to and the inherent risks that relate to their role in the organization.

About KnowBe4

KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, is used by more than 33,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4’s Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as the last line of defense.


Tags: TechnologyTraining
Previous Post

Identifying and Preventing Money Laundering in a Pandemic

Next Post

Messaging Apps: To Ban or Not to Ban?

Perry Carpenter

Perry Carpenter

Perry Carpenter is author of “Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors” (Wiley, 2019). He is Chief Evangelist and Strategy Officer for KnowBe4. He holds an M.S. in Information Assurance (MSIA) from Norwich University and is a Certified Chief Information Security Officer (C|CISO).

Related Posts

classroom

When It Comes to Compliance, Should We Educate or Train?

by Calvin London
November 16, 2022

A Gallup survey last year found that among employees who had received training on ethics and compliance, fewer than one...

Anti-Kickback, Fraud, Stark And Marketing – Where Are The Landmines

Anti-Kickback, Fraud, Stark And Marketing – Where Are The Landmines

by Christina DiPinto
October 31, 2022

OVERVIEW This webinar will provide an in-depth understanding of the Federal False Claims Act, Federal Anti-Kickback, and Stark laws, and...

checklist

5 Tips to Gain Compliance on Your Compliance Training

by Stu Sjouwerman
October 12, 2022

We know that compliance doesn’t necessarily equal security and that training employees is vital to preventing cyber attacks. But a...

regulatory storm

The Regulatory Storm Is Coming. Compliance Can Help Tech Leaders Batten Down the Hatches

by Stuart Breslow
September 14, 2022

The “move fast and break things” mentality that serves tech entrepreneurs well when they’re getting their companies off the ground...

Next Post
close-up of imessage app on smartphone on red background

Messaging Apps: To Ban or Not to Ban?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT