10 best practices for building an effective security awareness program

Cyber attackers are brazenly exploiting human vulnerabilities, and no one is immune to cyber slip-ups.

According to Cloudflare, 90% of successful cyber attacks start with email phishing. Email is the primary attack vector, they found, with increasing challenges to stay secure against evolving phishing tactics including deceptive links, identity deception, and trusted brand impersonation. And according to the annual Verizon Data Breach Investigations Report, 74% of successful attacks penetrated defenses due to human error, with people involved in either error, privilege misuse, use of stolen credentials, or social engineering.

Long gone are the days of traditional security awareness programs that just “check the box.” Implementing a robust security awareness program should be thought of as a necessary business function designed to reduce losses. The global average cost resulting from insider threats – including negligent employees or contractors, malicious insiders, and credential thieves posing as insiders – is $15.38 million, up from $11.45 million in 2020, according to the 2022 Ponemon Cost of Insider Threats Global Report.

Organizations have focused on user awareness for years, but escalating threats and data privacy concerns require you to reevaluate and advance these efforts at least yearly. This human element is key: you can have all the advanced technology this world has to offer, but by not educating and raising awareness in your employees, you open your organization to very real cyber threats.

Here are 10 best practices for building an effective security awareness program:

1. Understand your starting point

Begin by assessing the current knowledge and security understanding of your employees to identify gaps and areas of improvement. Also, determine the strength of your existing security awareness program and security culture.

Resources like the SANS Security Awareness Maturity Model – which was developed through the coordinated efforts of over 200 awareness officers – help you identify how mature (or immature) your program is and where you can take steps to the next level.

2. Define your objectives

Make security awareness a company-wide program which includes buy-in from the top down, and secure enough funding for initial requirements and ongoing efforts. The best way to do this is to define your security goals and objectives, such as reduce phishing incidents or increasing your incident reporting.

Incorporate security into your organization’s overall vision and mission. Let employees know what’s in it for them; they’ll be more invested if they understand awareness efforts extend beyond corporate security to protect against threats to their identity and livelihood.

3. Consider your corporate culture

Work with senior management and employees to develop a strategy that blends your security awareness program with your existing corporate culture. Key considerations include your industry, workforce demographics, and relevancy to different locations, departments, and roles.

4. Be clear with tailored messaging

Communicate the value and purpose of your awareness program early and often. Users should understand exactly what’s happening, why it’s happening and what their role is. Create content that is relevant to your organization’s industry and specific risks, focusing on real-world scenarios employees may encounter.

Annual efforts will keep you in a constant state of rebuilding. Maintain ongoing awareness activities aimed at integrating training into day-to-day workflows. This will keep cybersecurity best practices top of mind, and better prepare employees to defend themselves and your business.

5. Operate across people, process, and technology

Security awareness training works hand in hand with technical controls. In addition to solutions that help mitigate attacks and human error – such as data classification, email security, endpoint detection and response (EDR), data loss prevention (DLP), privileged access management (PAM), and user and entity behavior analytics (UEBA) – security awareness training platforms can help educate employees and assess their security readiness with both ready-to-use and customized interactive software modules.

6. Roll out engaging content

Use a variety of formats like videos, interactive modules, quizzes, and simulations to keep employees engaged and interested, beating that “fear fatigue.” Additionally, incorporating gamification into your awareness program encourages active engagement and friendly competition. However, as security expert Ira Winkler points out, gamification isn’t putting information in the form of a game in the hopes of changing behavior. True gamification is a reward system that positively reinforces learning.

Implementing effective gamification can motivate your employees not just to participate in training, but to take it seriously so that they have a chance of winning. What you reward them with depends on your corporate culture; it could be points, physical prizes, or even cash.

7. Utilize regular training and analysis

Conduct ongoing training sessions incorporating the strategy above, but keep the trainings short and frequent rather than lengthy and infrequent. No one wants to stop the important work they are doing for hour-long training videos.

By taking baseline measurements related to current phishing susceptibility and cybersecurity knowledge levels, you can track your organization’s training progress. Record the number of employees falling prey to simulated phishing attacks, how many report suspicious emails, the overall volume of security-related calls received by help desk analysts, and the rate of malware infections.

8. Prioritize collaboration over punishment

Human error is inevitable, regardless of how strong your program is. So, take a “more carrot, less stick” approach that encourages employees to share information and fosters a feeling of collaboration.

Security incidents should be treated as learning opportunities rather than cause for negative consequences. If users worry they will be blamed, reprimanded, or even fired for security-related mistakes, they’ll be far less likely to report them.

9. Empower with recognition

Recognize and celebrate employees who actively participate, report phishing incidents, and demonstrate great security practices. Encouraging employees with positive actions helps contribute to better results, including increased engagement, awareness, and overall security strength.

10. Measure your efforts

Put metrics in place to assess the impact of your program and demonstrate return on investment. Remember, security awareness is an integral part of cybersecurity and creating a sturdy security posture, but it’s only one part.

Securing your business is dependent on your organization’s specific needs, but luckily, security awareness involves everyone; you can watch your employees’ behavior rapidly change when implementing this program. Even a modest investment in security awareness and training has a 72% chance of significantly reducing the business impact of a cyber attack, according to a report by Proofpoint.

Humans are the target and the solution

The best security tools in the world can’t compensate for a lack of awareness. In fact, the stronger corporate security becomes, the more threat groups will target employees personally.

By partnering with SHI’s experts to incorporate security awareness training into your overall vision and mission, focusing on behavioral change, increasing engagement, and operating across people, process, and technology, you can foster a culture of effective cybersecurity. We can help you transform awareness training from an annual event into a lifecycle that generates security returns.

Take a deeper look into your security program with SHI’s Security Posture Review (SPR), a free assessment with professional insights into your security posture’s implementation, maturity, and risk. Our team will review the entirety of your security landscape and present actionable recommendations with short- and long-term goals.

Contact SHI’s cybersecurity team to begin your SPR or start developing your organization’s security awareness training program today.