Tips To Launch Security Awareness Training For New Hires
When employees are hired they typically update their LinkedIn profile, take a photo and share it on social media, they talk about their title and show how excited they are. When doing this, they don’t realize how vulnerable they are to falling victim to a cyber attack at this stage.
Instead of ignoring this fact, it’s good to be proactive about talking about cyber security during the new employee orientation. And we aren’t just talking about a quick 5-minute recommendation here—we’re talking about making security awareness training part of your new employee onboarding process.
With your new hires, it’s important to build a culture of security from the get-go. Let’s consider how to make cybersecurity part of your onboarding process for new employees — plus what phishing training is and how to run a simulated phishing test — starting with some best practices for new employee onboarding security awareness training.
“Security awareness training is required from Day 1 because hackers will be targeting your employees from Day 1.”
Security Awareness Training Topics and Responsibilities
With the increasing number of cyber attacks, security awareness training should be part of your new employee onboarding training from Day 1. Let’s talk about what security awareness training topics you should cover in your new hire training.
The basic concepts to start with are an introduction to cyber security—essentially what cyber security is, why it is important, and what to expect when hackers are constantly trying to target you and your organization. It’s important to set expectations here, showcasing how seriously your organization takes cyber security, introducing it in your ongoing employee training program.
The biggest security awareness topic to discuss is phishing. Most employees have heard the word before but aren’t as familiar as you would think with how to defend against phishing attacks. This is one of the most important topics to talk about since your employees will be facing phishing almost daily, especially during their new hire onboarding, when a hacker could prey on their vulnerability by impersonating coworkers they haven’t met at their new organization.
Gift card scams, for example, are increasingly popular among bad actors. They will monitor a company on LinkedIn, just waiting to see a new employee join, then pretend to be a higher-up in your organization instructing your new hire to buy gift cards. Because this new person is eager to make a good impression, they may react quickly without thinking this is a scam.
Typically, the role that helps coordinate and deliver security awareness training is usually the IT Director, CISO, or other IT or Security professional. It is not uncommon to have the organization’s compliance manager, COO, or even HR help coordinate the release of content. It’s recommended to have the involvement of multiple departments in building and managing a security awareness training program.
This way the entire organization is involved and invested in the success or failure of employee security training and activities together rather than pointing the finger at IT.
Why Phishing Simulation Tests Are Important
Phishing simulation tests are an essential part of a security awareness training program; they are designed to test your employees using real-world scenarios.
For example, say your new employee receives some LinkedIn connection requests from “new colleagues” on Day 1. They are busy and accepting requests from lots of new people they don’t know yet. It’s an exciting time for the employee and email notifications are coming in quickly.
Now imagine this request came from someone they don’t know yet, and it asked them to click the email. They may already be logged into LinkedIn but let’s say they were brought to a new page. They enter your username and password and nothing happens, an error page. What gives?
Guess what - this was all a simulated test to see if a hacker can steal your new employee’s information this exact same way. This is why phishing tests are essential, as they show employees how easy it can be to convince an employee to click on something. Phishing simulations are to educate people on what they shouldn’t be doing with their email. It’s important to recognize that this is training, to reinforce good behavior and not try to demean your new employees on Day 1. This is a matter of security.
It’s important to recognize that this type of training does affect your company culture. Because employees perceive this type of test as so radically new, it might be alarming to them on why their organization is trying to trick them into something like this. Recognizing this and communicating why you are running phishing tests is almost as important as the tests themselves.
While this chapter doesn’t go into explicit detail on how to run a phishing test, you need to understand that it’s an important part of the employee onboarding process. Phishing tests aren’t designed to trick employees; instead, they are used to measure the effectiveness of your overall security awareness training program.
How To Build A Culture Of Security With Continuous Security Awareness Training
Building a culture of security doesn’t happen overnight. Security shouldn’t be seen as an afterthought, but instead embraced as part of the company culture from Day 1. Continuous security awareness training should be part of your employee development training program.
Security awareness is a topic that changes every day and needs to be top of mind every time an employee interacts with technology.
In order to keep employees engaged throughout the year, you should consider releasing new content on a monthly basis. The more often you surround your employees with new security training content, the more common it will be to talk about security, especially if it's fun.
Closing The Security Awareness Feedback Loop
Because security awareness content is constantly changing, you have a responsibility to listen to employees on what they like and don’t like. This isn’t just to get feedback on the content, but more importantly to get feedback on what employees want and need to learn more of. This is often overlooked when it comes to security awareness.
Not listening to your employees is a huge mistake when running a security awareness program. Getting regular feedback on an ongoing basis, especially from your new hires, is a great way to develop relationships with your employees and reinforces a culture of security.
Security isn’t a set it and forget it. You need to be listening for info about the latest threats that your employees are facing and build a learning plan to educate them on how to defend against those threats. Ask them what questions they may have, and remind them that you're all in this together.
Employees can be hesitant to offer suggestions or ask questions because they don’t want to look foolish. Consider hosting small, private sessions to collect feedback, as this allows for input without calling someone out or potentially making them feel uncomfortable. The more you can incorporate this type of feedback into your training, the better your progress.
Conclusion
Security awareness training is essential for your new employees because hackers could be watching your LinkedIn or other online presence looking for easy targets. Phishing simulations should be part of your new hire training and ongoing employee security awareness training program to show how easy it is for someone to accidentally give up their credentials.
It’s not just IT who is responsible for cybersecurity, it’s everyone in people operations! Open up the dialogue with employees to get their input on their security training, what works, and what doesn’t
Just like how you’re all in this together working towards a company goal, everyone from the C-suite to your newest hire plays a part in protecting your organization against a potential cyber attack. We all have to do our part to help keep each other safe online.
We wrote the eBook How To Make Training Awesome: Your New Employee Onboarding Checklist, so you can jump around to the parts of this book to find the information you need to be successful with your new employee training. Each chapter ends with key takeaways, and you can also replay our webinar where we discuss how to incorporate storytelling into your employee training.