Cybersecurity is a hot topic these days - data breaches at large companies, such as Target (a few years ago) and Yahoo Mail (twice), have become an unfortunately common occurrence. Then the infamous WannaCry ransomware attack triggered a whole new batch of policies and company trainings and opened our eyes to how frail internet security can be, particularly if we don’t take precautions.
As the IT director of your firm, you’re well aware of the need for in-depth cybersecurity training for your team and other co-workers. Preparing your company’s cybersecurity training doesn’t have to be a daunting ordeal. Sure, the responsibility of conveying the importance of cybersecurity and how it can affect the health of the firm falls largely on your shoulders - but that doesn’t mean the planning process has to cause stressful feelings on par with Jon Snow’s fate (from Game of Thrones) at the end of season five.
In order to combat any cybersecurity training woes, we put together a few steps to help guide you in your planning. Here are nine simple steps that will help you focus your planning and create an awesome (and effective) cybersecurity training session for your peers.
Identify Your Advocates
Whether these are principals or C-Level executives within the firm, you want to make sure your advocates support your plan and the cybersecurity training, and bring momentum and enthusiasm to the training process. Your supporters should demonstrate strong leadership abilities and traits that attract respect from the team. Their support will help increase the likelihood of participation and engagement throughout the organization.
Map out the structure of your continued education
It’s important that the individuals on your team keep cybersecurity top of mind after the initial training and the best way to do this is through ongoing education. Consistency is key, so build out the structure now and decide what day of the week, month or quarter you want to communicate ongoing cybersecurity tips to your team - and get it on your calendar now.
Plan for a live session
To get higher engagement and better gauge understanding of the topics you’re going to discuss, it’s important to plan a live, in-person training with your team. Send the email invitation and request any examples they may have of previous attacks or attempted attacks to use as case studies during the training. To alleviate any anxiety associated with ‘confessing’ to a previous mistake, be sure your request makes it clear that:
- Making a mistake once is ok
- Repeating the same mistake as an individual or team needs to be prevented and the best way to do this is by sharing through examples
Identify your primary and secondary training objective or outcome
Before you host your training, set some specific objectives for yourself and the team and determine how you will gauge if these objectives were met. For example, your desired outcomes may be that employees
- Can identify and avoid specific risks
- Understand procedure for reporting suspicious activity or violations of existing policies
- Gain a basic understanding of what cybersecurity means specifically for your firm
Measurement of success could come from a quiz at the end of the training, a follow-up questionnaire or a more informal ‘raise your hands if’ questions to wrap up the session.
Fine tune your policies and create your training agenda
Ensure your policies are defined and clear, and discuss these policies during your training. We’ve outlined a few policies to consider including in your training.
- Login and password policies
- Give examples of secure passwords
- Home computer policies if employees connect to the company
- Policies for protecting your client’s data and if clients send insecure data
- Sensitive data policies
- Social media policies
Limit the amount of information you provide during the training to the most critical elements. Providing the essential information and key terminology at the training will keep you from overwhelming your trainees. Rather than trying to cram all of the information into one sitting, consider mapping out your consistent follow-up touches with additional examples and cybersecurity content.
Organize case studies
Once you’ve established the policies you’ll cover and completed the training agenda, begin to organize the case studies you’ll use to illustrate examples of attacks. The best way to learn is through examples, so providing screenshots or submissions from employees of mistakes made or mistakes prevented will further assist you in driving home the importance of recognizing and appropriately dealing with attacks.
Review your agenda
Refresh your memory on talking points and update as necessary depending on the case studies you received or any new cybersecurity issues or policy updates that have occurred within the company since creating the agenda.
Send an email reminder to your team
About two days before the cybersecurity training, we recommend sending an email reminder to your team including a high-level overview of the meeting agenda. In addition, consider including a quiz like this one from Pew Research for your team members to take to test their knowledge prior to meeting. They can then come prepared with their scores and any questions that came out of the quiz.
Print, print, print
This one is the simplest tip in all the land: one day prior to the training print copies of your meeting agendas, case study examples and terminology handouts. Your trainees will appreciate having those items right in front of them and may even use them to make notes during your session.
With these nine steps to planning your cybersecurity training, we hope you’ll find that preparing for your next session is easier and more effective than before. Cybersecurity is so important and it’s our goal to make sure every firm, no matter the size, is protected.
Did you find this helpful? Get an even more in-depth version of planning, executing, and following up on your next cybersecurity training session by downloading our complete Cybersecurity Checklist here: