BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Five Strategies To Get Employee Buy-In For Security Awareness Training

Forbes Human Resources Council
POST WRITTEN BY
Sharyl Givens

Employee training is a mainstay for most organizations, and the necessity for online cybersecurity awareness training can’t be overstated. Last year the FBI reported a staggering $12.5 billion has been lost due to email fraud (also known as business email compromise), underscoring the critical risk that exists each time an employee opens their inbox. A single weaponized email could lead to a substantial data breach or financial loss.

But how can HR teams secure employee buy-in for cybersecurity best practices, while avoiding training burnout? The answer is empowerment. Your employees need to understand they are a cybercrime target and be empowered to recognize and avoid attacks.

As a human resources lead, you are in a unique and important position to communicate the necessity for security awareness — and significantly reduce risk through effective training. It’s common not to want to overwhelm employees with yet another type of training, but cybersecurity education benefits are proven and extend beyond your company’s doors. According to our company's recent survey of IT security practitioners, nearly 60% saw an increase in employee phishing detection following security awareness training.

Below are five strategies for securing employee buy-in for cybersecurity awareness training.

1. Partner with your security team.

Cross-functional conversations are extremely beneficial. And your security team has a vested interest in ensuring all employees understand how to combat cybercriminal activities and how to practice good cybersecurity hygiene.

Partner with this department to develop a training program that is tailored to your organization, with the HR team leading the way when it comes to employee communication. Infosec teams live and breathe security concerns, and they sometimes believe that people naturally understand how to protect themselves. Your security team may be using language in employee communications that’s unique to them and can be misunderstood by employees. To help, be sure all communication is sent from the group/contact that sends other training notifications.

It’s also important that the cybersecurity awareness training program fits into a larger HR and legal calendar of corporate initiatives and training. Communicating with the security team ensures that a cybersecurity education program isn’t blindly launched the same time as other high-priority initiatives (such as bonuses, hiring incentives, etc.). Match up calendars so you aren’t competing.

2. Make it clear that everyone is a potential target.

Your employees might think they aren’t important enough to be a target or that they don’t have anything cybercriminals would want. And that couldn’t be further from the truth. Attackers covet access to inboxes and other employee systems. They aren’t only coming after your CEO or managers. Anyone could be a target at any time.

That said, I recommend incorporating security training into your well-being and benefits program. Cybersecurity skills are life skills. Employees can take them home and teach them to an older parent, a spouse and their children. They can also take the skills they learn wherever they go to protect their personal data.

Incorporating security training into your well-being program also sends the message that it’s a priority. Even if cybersecurity isn’t listed in their job descriptions, cybersecurity skills must be applied daily. Also, enable your new employees to hit the ground running by making cybersecurity awareness training part of the onboarding process. From the beginning, establish cyber hygiene as a top-tier concern.

3. Break through training fatigue.

For highly regulated industries, trainings are ever-present and required, and they can be considered a burden by employees. But effective security awareness training is more than simply checking a box.

The more relevant your training, the more likely your employees will get and stay engaged. Be sure your online security awareness training feels cohesive and the tone, branding, and quality align with your company. Be sure the scenarios reflect situations your employees would encounter.

If you are a multi-national company, it’s also imperative that your training be localized and not just translated. Localizing monetary references, websites and legislation will make the trainings more immersive. Deliver content that is relevant to your employees’ roles and specific locations.

4. Acknowledge employees as stakeholders.

Effective security awareness training isn’t just about getting your executives to sign off on a cybersecurity awareness training budget. Value your employees’ role in the success of the program and be sure you aren’t asking too much. If you are overwhelming them, they won’t buy in.

Communicate the need for the training program, explain what’s expected of them and speak to them as stakeholders rather than just “doers.” Ultimately you are asking people to learn new skills they aren’t necessarily familiar with. The more traditional online security training approach is one hour of education, once a year; however, it isn’t realistic to expect employees to learn new skills in such a limited amount of time. Repetition is essential to skill development.

When designing the program, roll out bite-size trainings that are at about 10 minutes each. An hour-long training about cybersecurity can be very overwhelming. Instead of one training that covers six topics, spread it out to six mini sessions.

Boil it down so employees only focus on one specific cybersecurity topic, such as building strong passwords or identifying a phishing email. Delivering training at regular intervals will keep learnings top of mind — and make it clear that cybersecurity is an ongoing focus.

5. Take a top-down and a side-to-side approach.

Key decision makers must be behind your cybersecurity awareness initiatives for it to be a success. But in addition, find other advocates in your company and engage them in the process. A variety of voices will really help encourage creative ideas for employee participation.

Security training isn’t just about protecting email inboxes; it’s about empowering your employees to safeguard company information and their own data, stop fraudulent payments and avoid mistakes that could impact their reputation and job status. Effective security awareness training is vital in today’s digital age where we are all cybercriminal targets. Luckily, by partnering with the right teams and creating an engaging program, we can empower employees to take an active role in significantly reducing risk.

Forbes Human Resources Council is an invitation-only organization for HR executives across all industries. Do I qualify?