How to build a successful security awareness programme?

The necessity of a security awareness programme is more essential than ever. With more and more people working from home and with the recent announcement that the England is going into a second national lockdown, ensuring that security awareness of threats and safe working is more important than ever.

When speaking to customers, it was mentioned that staff and people within the business felt safer when working in an environment where they could see and easily chat to people, if they received an email or link that they didn’t know they would shout across the office, now, working from home, this is a different ball game.

To help staff become aware of threats is an ongoing process, you shouldn’t expect to force content down people and expect them to digest all the information and off they go, a successful security awareness programme should be ran over a period of time and continuously reassess their understanding of threats.

The first step towards building a reliable and successful security awareness programme is to recognise that not everyone will be at the same level, you should tailor your programme to the needs of the people. You should not build the programme with a hard cut off date, such as 6 months time, but instead continue the process and increase and change the content that is provided.

As the programme starts you should ensure that you measure the success of the programme, do you get reports or notifications on how has clicked on a phishing link from the programme, do you take metrics on how many activities have been sent, who has opened, who has deleted, who has simply ignored? All these types of metrics and reporting can help you understand where you need to concentrate your programme, which staff members may need that extra bit of coaching.

You should remember that although metrics and reporting can play a key part of your awareness programme, it is not the be all and end all of it, staff are there to hep you achieve results and coming down hard on them if they fail to hit a metric will only result in backlash and negativity, if you identify people struggling help them, even if this means performing some one-to-one training and understanding their problems with identification of threats.

The leadership and heads of departments should be included within your awareness programme, the programme should include everyone within the business as none is immune from phishing attacks, accidentally inserting a USB device or any of the numerous actions that could impact the business.

The overall goal of the business should be that awareness is taught in an easy way and that there is a no blame culture, you should see from the reports that from the start of the process to 6 months in, even 12 months in, the number of clicks and opens of phishing emails have dropped off drastically.

Are you looking for a solution?

Our security awareness programme is built to help the staff learn from their mistakes, we can send you a phishing campaign to all your staff, a select few or send to groups of people with different types of campaigns.  If an employee accidentally clicks on a training phishing link, then they will be sent to a quick 2 minute video which they can watch to understand why they clicked on it, how to identify the areas of the phishing email and so forth.

We can provide reports monthly so that management can see the progress of the campaign and see the improvements over time. Add and remove people as needed and works with all email clients and systems.

This security awareness programme can also work alongside our Dark Web Monitoring service which checks the dark web for any email accounts which are associated with your company domain name. Once setup, you will be notified of any company related accounts being exposed on the dark web and, where available, where they were found.