Security education programs are sometimes mandated, always important, and often difficult to justify the investment. It is easy to get the powers that be to sign off on a once-per-year security awareness training program that will satisfy compliance requirements, but we all know by now that compliance does not equal security.
The Information Security Forum (ISF) has defined information security awareness as an ongoing process of learning that is meaningful to recipients, and delivers measurable benefits to the organization from lasting behavioral change.
So to achieve this, a bigger investment, in both time and money, is needed to implement a continuous security awareness training program that is effective at changing employee behavior - one that includes ongoing simulation training. More money, more time invested, and a goal to change employee behavior means more stakeholder approval will be required.
The first step in getting that done is to build out a true security awareness training program, or as we call it here at PhishLabs, Employee Defense Training. You need to define what success looks like, and it should look something like this:
- A continuous program that includes phishing simulations and point-of-failure training to effectively influence behavioral changes
- Increase in employee reporting of suspicious emails to security teams
- Decrease in phishing attacks due to employee vigilance
- Increased intelligence gathered from the reported attacks
- Measured progress and program adjustments based on the intel gathered
Depending on the size of your organization, the stakeholders may include executives, a board of directors, and since you are going to be phishing your own employees, maybe even HR. So when you go to them for approval, be sure that you have the following components covered in your business case:
- Purpose and scope of the training program
- Defined goals for the organization
- Program structure, methods to be employed, and target audience
- The criteria for success noted above
- Program basics - Training tools, topics and sources defined
- A plan for implementation, program management, and maintenance
- Cost/Benefit analysis
- Metrics - tools to measure the effectiveness/make adjustments to the program
Ultimately, the goal of any truly effective security awareness training program is one that puts your employees on offense, instead of defense. Getting the most bang for your buck means turning your employees into security assets. Our own research has shown that attacks involving business email compromise (BEC) are increasing significantly, so properly trained and vigilant employees are paramount to a successful security posture. If you would like help proving the business case within your organization, PhishLabs would be happy to help.