Every business can benefit from security awareness training. But not all employees are going to be excited about learning security awareness best practices, even if they’re aware of the benefits they’ll get from their training. Fortunately, there are ways to make training more palatable to employees, allowing them to boost their enthusiasm for the classes they need to take to keep your company secure.

Setting up the training

The first step is having the right training program in place. Before getting your employees involved, you need to make sure your program covers relevant topics to your organization. If you’re using a ‘check the box’ method of deploying training, you’re setting yourself up for an uphill battle. A good security program starts with a solid plan and covers the topics and security policy considerations learners need to know, including compliance considerations such as PCI or GDPR. It’s important to emphasize the need to know part of the learnings. Training your users only on the most important, practical lessons you want them to learn helps them to see the trainings as relevant and valuable. Learners can view additional non-critical, nice to know information as irrelevant or even worse, a waste of valuable time, which makes it harder to gain the necessary support you’ll need for an ongoing, successful program.

Your training should prioritize the most common threats against the organization such as phishing and social engineering. Your employees need to relate to the material, and you can help increase engagement by taking a practical approach to your training content by showing them commonly encountered threats.

Take a “Strongest Link” approach to work with the organization’s employees. Seek to empower and inform them to be a last line of defense against cyberthreats.

If you’re outsourcing your program, you’ll want to be comprehensive in selecting any security awareness vendors to provide the most effective content, training platforms, and reporting ability. A good provider can assist you with your deployments or provide automation options that can drastically reduce your administrative time. Detailed reporting is also important and can give you reliable numbers to report progress and ROI in the program, such as users falling for phishing simulations. But, as noted before, learners want to know what’s going on. Show them their progress through email blasts, corporate broadcasts, town halls, or other forms of communication.

Incentivize employees with rewards and reminders

Now that your program and plan are in place, you may run into difficulty gaining company-wide buy-in and excitement. One way to start motivating your learners is through rewards and recognition.

Rewards and recognition are good drivers to motivate your employees to buy-in to the training. Rewards, such as gift cards or even just an organization’s marketing swag can be encouraging for learners to pay attention to and participate in the training program.

But not all rewards have to have a financial component. Simply giving learners recognition for completing the training early, modeling good cyber hygiene, or not falling for phishing simulations can make a big difference in motivating your employees.

Another component of gaining buy-in from employees is to provide reminders about cyber hygiene. Equipping your team with “environmental reinforcement” opportunities, such as posters in the break room, videos on hallway TVs, screensavers, and best practice signs at strategic locations (Ex. “No tailgating” at entrances) helps to reinforce the lessons learned in training and keep security top of mind. An important part of environmental reinforcements is to change these regularly as people become acclimated to seeing them and stop paying attention.

To go further, go together

Culture change takes time, and it isn’t easy. To create a culture that puts security first, you’ll need help. A good start to getting others involved is to reach out to other departments for buy-in and assistance, for example, Human Resources or Marketing. Approach resistance from departments and individuals by framing the effort as “what’s in it for them.” For example, show them how improving cybersecurity helps them prosper, as well as the organization. Conversely, what are the negative effects of a breach to people, efforts, and productivity? Relaying how cybersecurity best practices support critical business goals will go a long way to gaining buy-in and cooperation.

Give your program presence. Work with marketing to establish a brand so that learners will think of your efforts as having substance. Setup an internal website where you can direct users for additional information. Thus, it’s not always pushing info to them but pulling them to your content as well. This is also a good place to showcase events and training schedules for your program, as well as provide information and resources for your security champions and local leaders to bolster their efforts.

Use themes and events to tie your messaging to, such as with Cybersecurity Awareness Month. Every October, the National Cyber Security Alliance promotes cybersecurity with weekly themes. And cybersecurity organizations including security awareness training vendors will provide free material for you to use for your own program’s efforts that month. Take advantage of these opportunities and provide these materials to other departments and leaders so they can readily utilize them to provide their support. Leverage internal, social networking platforms, such as Facebook, Microsoft Teams, and Slack. Social platforms can help learners collaborate and communicate on security awareness by posting links and comments, sharing tips and stories, and in general, promoting a sense of community that helps support the program and bond employees in a shared goal.

Recognize advocates who role model best practices

Employees can be motivated if they see other employees acting in a certain way. Typically, the more people behaving a certain way, the better the odds of getting others to join in.

Creating a program like a “Security Champions Program” can go a long way to spreading the effectiveness of your security awareness efforts. By involving personnel in various locations and departments in pushing cybersecurity best practices at a local level, you can not only spread the reach of your program but also reinforce the messaging with the champions peers. It can also be an opportunity for those involved to increase their professional development and knowledge.

To make the use of this type of program, it’s best to have the team meet regularly to share information, coordinate efforts both locally and with the larger program, and discuss progress on goals. You’ll want to make sure to support your champions with information and resources, as well as provide “perks” to encourage their continued involvement. The security champions should be lauded regularly as they are going above and beyond to support a critical mission within the organization. A Security Champions program is a low-cost way to effectively boost security awareness in your organization.