Consider mixing traditional training media, such as computer-based learning modules and videos, with other techniques, such as short newsletters, posters and interactive training sessions that include role-playing exercises and group discussions. This combination is more likely to deliver the message and reinforce it across the agency.
Gamification techniques such as quizzes, puzzles and interactive scenarios can be helpful, as can incentives, such as prizes or recognition for completing training. However, the most effective way to make people pay attention is with real-world examples, especially those that within the agency itself.
Having an executive fall victim to a phishing attack may seem horrible when it happens. Yet, telling that story — using the executive’s name to really drive the example home — is an outstanding way to make a dramatic impact, which is the best way for people to remember something they’ve learned.
Engaging executive team members in information security education isn’t done to embarrass them but to emphasize that security breaches can happen at any level. Leading by example — even by bad example — makes it clear to staff that cybersecurity is everyone’s business.
Incorporating a variety of methods and techniques makes information security training more interesting and engaging for employees. By doing so, agency IT and information security teams can increase staff engagement and improve the effectiveness of their training programs while making everyone more aware of cybersecurity issues and more alert to potential attacks.
Agencies Should Conduct Preparedness Exercises
Avoiding information security breaches is obviously the No. 1 goal, but having a security culture also means being prepared when a real problem occurs. The IT and information security teams will be the primary responders in such a case. However, involving staff in periodic exercises will help keep everyone’s mind on information security. Reporting suspicious activity is in everyone’s job description, so testing these reporting channels regularly is important.
One common method is to conduct a covert phishing exercise. Running a phishing simulation, in which agency staff are sent fake phishing messages, delivers three benefits:
- Seeing phishing messages pop up in their email will help staff members recognize these types of scams. It’s one thing to be told “be on the lookout” and quite another to find a phishing message in your inbox.
- A phishing exercise tests the agency’s alerting systems. Did staff bring these messages to IT’s attention? How much time passed between the phishing attempt and a response by the security operations center or network management team?
- The exercise will identify which employees need additional training or help in identifying phishing messages.
Other preparedness exercises include tabletop or red/blue team exercises, which simulate security incidents and walk staff through identifying and responding to the threat. Most staff will assume that the bulk of the response should fall to the IT team, and perhaps it does — but when a security incident occurs, everyone in the agency has a role to play.
These types of exercises can complement the information security equivalent of a fire drill — a test of the agency’s incident response plan. An IR drill helps everyone, from senior management to client-facing staff, understand what they need to do and how they will continue their work if a serious incident occurs.