Tips for Employee Information Security Training

We all make mistakes. Maybe we hold the door for a stranger to be polite, allowing them to enter our building, ignore a warning to update our browsers because we have a busy day ahead of us, or allow a coworker to log into our email to resolve a customer issue. While these actions may seem innocuous, they can lead to extremely costly security incidents and data breaches. In fact, recent studies have found that 88% of cybersecurity breaches were caused by human error, with the average cost of the data breach being $4.88 million. Not to mention the fact that data breaches can lead to reputational harm and loss of trust from your customers. Providing employees with security training is a simple and cost-effective way to reduce the risk of these incidents and data breaches and should be undertaken by every company. In this article, we will discuss when this training should be performed, what it should include and provide some easy tips to make this training engaging and worthwhile.

How often should you conduct employee security training?

Security incidents can happen as soon as an employee has access to your systems so the training should be conducted when the employee starts working in your business. In addition, new security threats are introduced regularly as hackers get more and more creative so training should be repeated on an annual basis. 

What is the difference between employee privacy training and security training?

It is important that your company understands the fact that privacy training does not replace security training and vice versa. Privacy concerns how personal data is collected and used and security protects that data from unauthorized access. For example, privacy will prevent you from sending text messages to people who have not subscribed to such messages. On the other hand, security will ensure that the phone numbers of your customers won’t end up on the dark web. 

Tips for conducting security training 

Trust me, you don’t want your employees to dread security training, nor do you want them to think of it as templated corporate videos that they have to click through as fast as possible without paying any real attention. Everyone wins when training is fun, relevant, and engaging. Keep the following tips in mind when creating your training: 

1. Make it relevant to your company and the types of risks that you may actually experience. For example, if you’re a small business, it probably doesn’t make sense to discuss a security incident example where the CEO is tricked into sending $10 million to a hacker. However, a scenario where a hacked vendor emails you a DropBox link that contains a virus is much more realistic and should be discussed; 
2. Have some fun by including security-related memes or short funny clips in your training; 
3. Encourage your employees to ask you questions and share their experiences; 
4. Include hypothetical scenarios as people learn in different ways and you can ask them what they would do in certain situations. For example, you could provide the following scenario to test the knowledge of an employee who works in HR: “You just received an email that appears to be from one of our employees asking you to change their direct deposit information for payroll. What should you do next?” Note that this is an extremely common tactic used by hackers (I myself receive at least one such email per week); 
5. Record attendance. This will easily allow you to keep track of who attended the training. 

What should security training include? 

Each company faces unique security risks (e.g. if you work in an office, your security risks will be different than a company whose workforce is entirely remote) and therefore, there is no “one size fits all” approach to security training. However, generally speaking, security training should cover the following: 

1. The purpose of the training; 
2. When training will be conducted; 
3. Definition of “information security” and an explanation of what it means; 
4. Principles of information security – confidentiality, integrity, and availability; 
5. Why we need to care about information security; 
6. Legal requirements to preserve security; 
7. Who is responsible for information security; 
8. The types of information security risks – outside sources (e.g. cybercrime, malware, viruses, worms, ransomware, cryptojacking, spyware, and physical security risks); 
9. How malicious programs end up on devices (e.g. social engineering, baiting, pretexting, phishing, vishing, smishing, man-in-the-middle attacks and DoS); 
10. Types of information security risks – inside sources (e.g. malicious actions, negligent actions, and accidental actions);
11. Signs of attack or compromised systems; 
12. Discussion of actions that are unacceptable (e.g. sharing passwords or forging email signatures); 
13. Rules that employees must follow and how to do so (e.g. if working from home, secure your router by changing the default password); 
14. What qualifies as an information security incident, including examples; 
15. What to do if an information security incident is suspected; 
16. The consequences for not following the rules or the training; and 
17. A question and answer session. 

Once you have performed the information security training, you must ensure that your employees follow the rules of preserving security. Perhaps the most important part of ensuring that employees follow the rules is to set a good example. If you use a password manager, your employees are much more likely to do so too. If you communicate suspicious emails to your staff, they are more likely to spot those types of emails in the future. Happy training!