Which is better: Proactive User Training or Reactive User Training? With Security Awareness the answer is BOTH.
Many clients come to us in crisis: “Help! Too many of our employees are falling for phishing scams!” or “Help! We got breaches last year!” or “Help! We didn’t pass compliance and need to train our users!” They reach out to us, panic in their voices and desperation in their eyes because they see dollar signs and lost trust from their own customers. To them they’re in a sinking lifeboat full of holes and need us to fill those holes with plugs as fast as they can.
We also have a lot of clients come to us because their peers have been breached. They are on a tight schedule, sometimes trying to get in under a deadline to impress an exec or beat a compliance deadline, but they haven’t been hit yet and want to keep it that way.
Both ways—reactive and proactive—result in awareness programs. But which way is better?
Ideally, we should try to prevent situations from arising by teaching users how to create strong passwords, how to recognize social engineering scams, how to prevent personal identity theft and why data classification is so important. But if something cyber-bad does happen, we should also react with training, not as a punishment but rather to reinforce lessons we’re already teaching, and to correct unsecure and careless behavior.
Here are a few tips and tricks we’ve learned in providing awareness for 20 years:
Use minor mistakes as learning opportunities.If someone forgets their badge, can’t remember their password, or neglects to lock their desktop screen before getting up, these are not huge infractions but can be a good opportunity for you to remind them of policy.
Require training for the whole group, not just the offenders.If something bad happened and everyone knows about it (an insider gone bad, a data breach, an outside attack, etc.), let the employees know that’s the reason for the training. One bad apple does spoil it for the whole bunch. No one wants to be the bad apple.
Phish your employees.You should also require additional training for anyone who fails. This is an immediate reactionary, defensive form of training since the person who falls for the phishing email will receive an immediate learning opportunity and see what they did wrong.
Make it personal.People care way more about themselves than they ever will about the company they work for. Give them some useful information about securing their own lives & protecting their own privacy. At the end, just be sure to say, “Hey, by the way, all this stuff we’re teaching you? Do it here at work, too.”
New Hire Training is a must.“Start ‘em while they’re young,” is something we’ve all heard about teaching kids about whatever particular subject matter is at hand. Don’t wait until employees have been there six months. Catch them while they’re new. Hit them with awareness training from the get-go to ingrain it into their work behavior.