Baseline Vulnerability Measurements
The premise of this recommendation is simple: How can you know how far you’ve come if you don’t know where you started? Baseline assessment scores — related to phishing susceptibility and cybersecurity knowledge levels — allow you to mark your starting point and gauge progress. But it’s also a good idea to take note of other metrics — like rates of malware infections and successful phishing attacks from the wild — before you begin employee awareness training. You should see a reduction in employee-driven cybersecurity incidents over time, which is a good idicator of program success.
Regular, Ongoing Assessments and Training
To change mindsets and reduce the mistakes and risk associated with end-user behaviors, cybersecurity must become a regular pursuit. Occasional phishing tests and once- or twice-a-year training simply will not be enough to raise awareness and help your employees learn how to apply best practices. To develop new skills, end users must be given the benefit of regular cybersecurity education and the opportunity to learn over time.
Creating a Clear Link Between Assessments and Training
As is reflected in our Continuous Training Methodology, we make a clear distinction between assessments (like simulated phishing attacks and question-based evaluations) and training. These two types of activities work most successfully when used in conjunction with one another. A phishing test, for example, is an excellent way to motivate employees to complete follow-up training. However, it’s critical that these initiatives are clearly linked, with a small window of time between assessments and training. After all, if you send a phishing test in January and then send an anti-phishing training assignment in October, the logical connection between those two activities is lost.
We’ve regularly spoken about the need to reinforce key messages with end users. When you revisit topics on a regular basis and incorporate ongoing awareness activities, you help to keep cybersecurity best practices top-of-mind for employees. Without reinforcement, you are put in the position to regularly rebuild — rather than build upon — a cybersecurity foundation.
Consistent Tracking and Reporting
As is reflected in the Data-Information-Knowledge-Wisdom hierarchy, data is helpful, but wisdom should be your ultimate goal. As such, it’s important to choose security awareness and training tools that do more than churn out data for data’s sake. Seek instead tracking and reporting capabilities that give you access to value-add data that ultimately translates to actionable business intelligence.
We’ve seen a number of organizations generate great engagement and results by applying gamification techniques to their programs. We strongly believe in using rewards and positive reinforcement to raise end-user interest and participation; in fact, our reporting features, including our Training Leaderboard report, are designed to help organizations track successes at the individual and department levels and more easily apply gamification to their programs. We do recommend exploring this option if it's supported within your corporate culture because it can elevate the effectiveness of your program.