New Approaches to Security Awareness Training for Association & Nonprofit Staff
- Russell McCullough
- October 11, 2017
Most Americans are frightened by the prospect of cyberwarfare. In a recent Pew Research Center report, 71% of Americans ranked “cyberattacks from other countries” a top threat, just behind Islamic State attacks and considerably ahead of global warming. Yet, even with never-ending headlines about hacks and breaches, it’s difficult to get some association staff to pay attention to security policies and follow security best practices.
Try one of these less-conventional approaches to cybersecurity training to increase your staff’s security awareness and strengthen their security habits—along with your organization’s cybersecurity defenses.
Tactics to improve security awareness training
There’s nothing like mandatory training to get everyone moaning. One-size-fits-all security awareness training is bound to be too basic for staff who think they know it all (some probably do). If you adjust the content for them, you’ll leave others in the dark. You have to find an approach that ensures everyone really does understand how to work safely to maintain your cybersecurity defenses.
Segment staff. If your staff is too large for individual training, divide them into training groups according to their knowledge level. Develop a pre-training quiz and split them into groups based on their quiz results.
Customize by department. Talk to department heads to discover the types of security risks their staff encounters. For example:
- Do they work with sensitive member/customer data?
- How much do they travel?
- Do they work remotely?
- Are they using mobile devices for work?
- Which systems, cloud-based or subscription, are they using?
Make it personal. No one thinks a hack will ever happen to them. Get their attention by making it personal. Explain how easily their personal information could be ransacked. Run through several scenarios—show them that they do in fact have access to data that hackers want. Give them a tip sheet to bring home and share with their partner, kids, or housemates.
Glom on to the news. Whenever there’s an attack or breach in the news, turn it into a teachable moment. Explain briefly how the same type of thing could happen to your organization and how everyone has a role in preventing that from happening.
Appeal to compassion. Here’s a good way to motivate people to educate themselves: an insurance firm asked its employees to accept a challenge—watch a security awareness video and for every view the company would donate a dollar to a charity.
Give them the unexpected. A chief security officer at a healthcare organization suggests piquing staff’s interest by using examples that illustrate “how hackers can crack into a car-wash and manipulate the robotic arms to damage automobiles or lock customers inside…Maybe it’s a bit of a scare tactic. But we are in a cyber-war out there.”
Use your LMS. Host security awareness training on your learning management system (LMS). Deliver content in a mix of short video and reading assignments, followed by quizzes. You can track each employee’s progress through different security modules that apply to their job. You could even offer this cybersecurity training program as a member benefit or add it to your online learning programs.
Add security training to onboarding. Every new employee should take a cybersecurity awareness course, even the C-suite.
Require booster training. Security awareness is a habit. You must require ongoing training so people don’t become complacent and careless. When new threats arise, add them to your ‘curriculum.’
Set the example at the top. Make sure the C-suite and department heads understand that they need to lead by example if you wish to develop a culture of security at your association. They must adhere to the same policies as everyone else and participate in all training activities—no exceptions.
Test staff’s phishing gullibility
How do you know if staff really understand and apply what they learned in training? Do what every good high school teacher does: pop quiz! But in this case, they won’t know they’re being tested.
Subscribe to a simulated phishing attack service. Several firms provide security awareness training that includes sending simulated phishing emails to your staff. If an employee falls for the bait and clicks on a ‘bad’ link or opens a ‘bad’ attachment, they’re redirected to a webpage with a video or content discussing the security mistake they just made and how to prevent falling for the real thing.
Turn staff into white hat hackers. Throw a phishing writing workshop and have staff write a phony phishing email. Mix them into a bunch of authentic emails and see if anyone falls for the fake ones. Give prizes to the convincing pseudo-hackers.
Hold cybersecurity contests
Host a bug bounty. If your association develops proprietary software either in-house or outsourced, consider allowing your IT team to allot a certain amount of time each month to finding bugs or flaws in that software. Model your contest on Google’s Vulnerability Reward Program, which gives prizes to developers who find security holes. Check out other hacking contests and exercises too, like Project Zero and Capture the Flag.
Celebrate National Cybersecurity Awareness Month. Dedicate October to testing your staff’s cybersecurity acumen. Send simulated phishing emails. Ask staff to identify any suspicious items in those emails and send their answers to IT. Those who get correct answers each week get one entry into a drawing for a prize (make it a good one), and at the end of the month, the prize is awarded.
Hold a physical security contest. Set up a workstation with several security vulnerabilities for staff to identify, for example, password post-its, a computer powered on with confidential data on the screen, a file drawer unlocked, and an accessible registration form containing a credit card number.
Reward your human firewalls. When someone spots a high-risk phishing scam and is the first to notify IT, send them a thank-you note and copy their supervisor. You could gamify this contest by rewarding the person with the most catches for the quarter.
Warren Buffet said, “It takes 20 years to build a reputation and 5 minutes to ruin it. If you think about that, you'll do things differently.” Amidst all the fun and games, make sure your staff understands the financial, legal, and operational consequences of a data breach. If they do, they’ll start doing things differently.
Download our e-book, The Cybersecurity Watchlist for Association & Nonprofit Executives, to increase your awareness of all the threats that could infiltrate your organization. Forewarned is forearmed!