I love that KnowBe4’s customers are among the most knowledgeable and educated people in the world in avoiding phishing scams. KnowBe4’s products help its customers to educate and test what scams a worker will easily recognize and which ones they need more education on. KnowBe4’s product helps administrators figure out exactly who needs more education and on what topics. We know that customers who more consistently and frequently educate and test their co-workers reduce cybersecurity risk lower than those who do not.
Here is a quick snapshot on how to create an efficient security awareness training (SAT) program which efficiently reduces cybersecurity risk.
Fight the Most Common Attacks
The best way to efficiently implement SAT is to educate and test on the most popular phishing scams that are most likely to be used against your organization. You cannot train everyone about every obscure scam. There is not enough time in the day without significantly impacting operations. You have to pick the topics that will reduce the most cybersecurity risk. This means keeping up on the most common types of phishing scams, methods and topics.
We can help with that. At KnowBe4, we frequently publish information on the most popular real-world phishing scams and topics that people are clicking on. You can download our latest phishing by industry benchmarking report, and check out our quarterly top-clicked phishing subjects on the blog. These reports will help you define the topics you need to educate and test on.
Create a Training and Testing Cadence
Then create a regular cadence of different educational topics and training, using a variety of different methods. Below is a general example of how a security awareness training program could work.
You want to make sure you have a regular cadence of education and testing. What that cadence is, is up to you. However, we do know that education and training less than once a year has almost no impact on reducing cybersecurity risk. It is almost like you did not do it. Wasted time. Starting with a cadence of at least once a month (i.e., some small amount of training and at least one simulated phishing test), starts to significantly reduce the odds that your co-workers will actively respond to a real phishing attack message. So, establish your cadence first. How often are you going to train and test?
A common cadence is that all newly hired employees are given longer SAT educational sessions, say 15 – 45 minutes long. And each year, all employees are given at least one longer SAT session. Then each month, all employees are given shorter training sessions (say –one to five minutes long), along with at least one simulated phishing test. People failing the simulated phishing test get more training.
Vary the Training Messages and Methods
You know what you need to train and test on. You know the cadence you want to maintain. The question is how to train and how long should each training session be. Variety is the spice of life. Everyone learns differently. Most people do not retain information from just one session. So, “train like a marketer” – frequent, redundant and entertaining.
You can train using one of our excellent Kevin Mitnick-led training sessions or use our award-winning “The Inside Man” series. You will literally have co-workers asking when the next episode or season comes out! When is the last time you had co-workers ask for more training? We have content taught by industry experts. Content taught by superhero cartoon characters. We have games you can send. You can download, re-send and print any of our excellent posters. My favorite is our Red Flags of Social Engineering PDF document. It shows 22 common signs of an email phishing attack.
Or one of my recent favorite “cheat sheets” to identify social engineering scams is:
There are literally dozens of different types of content and over 1,000 different training modules you can use to communicate and educate. In every case, our content has been created to highly trained education specialists to provide the most impactful SAT possible in the shortest amount of time. No other SAT vendor has as much content and different types of content than KnowBe4. No one!
Train, Test, Train
A good SAT program involves training and testing. Train people to recognize and avoid falling victim to the most popular types of phishing scams. Periodically test them using simulated phishing tests. Give more training where more training is needed. If done well, your SAT program will change the culture of the company to help everyone, collectively, be far less susceptible to phishing and social engineering scams.
Mitigating social engineering scams is THE single best computer security defense any organization can do to reduce cybersecurity risk. Having a great SAT program is one of the best ways to do it.
Other Related Resources: