How to Create a Comprehensive Security Training Program for Employees

By Olivia Munro | Thursday, January 30th, 2020

Here at Eze Castle Integration, we’re constantly talking about the evolving security landscape and the technical tools and layers of security required to keep your firm's sensitive information safe. Today, we're here to talk about one extremely important layer of security that firms often overlook: employee training.

Though sometimes underestimated, developing and implementing a comprehensive employee training program creates an internal culture of security and ensures that all employees maintain a "security-first approach" to everything they do. This will make your employees an asset to your data security as opposed to a threat and bolsters your firm's cyber strategy.

Start with previously developed security programs.

Having detailed programs like a Written Information Security Plan, Disaster Recovery Plan, Business Continuity Plan, and Cybersecurity Incident Response Plan is a great place to start when developing your employee security training. All employees should have general knowledge of these plans, and specifically what to do in case of a security incident. If certain employees or teams are required to take action within any of these plans, they need to be fully aware and trained on their role within the plan.

As these plans and programs are evaluated and modified, whether due to technological advancements, company policy changes, or the evolving risk landscape, employees need to be trained and notified of any changes. Even if no changes are made, it is wise to hold security training at least annually to reinforce the security-first posture you're trying to instill within the organization.

Develop the curriculum.

Building off the previously mentioned plans, developing the curriculum for your formal employee training is a critical component of the program. Some topics to be covered include:

Mobile device management/BYOD policies
Data management & protection
Acceptable use policies
Password policies
Removable media (if allowed at your firm)
Clean desk policy & locking computer screen when not at your desk
Internet browsing best practices
Social engineering training

Having a standardized and required training or curriculum will ensure that all employees have the knowledge necessary to embody the culture of security.

Conduct annual tabletop exercises.

To ensure employees are effectively trained, your firm should conduct annual tabletop and simulation exercises.

Implementing a Phishing and Training program at your firm is a fantastic way to teach employees in real-time what to look for in a nefarious email. These tabletop exercises can be in-person or virtual seminars, but they should bring together department representatives across the firm to enable swift business recovery in the event of a business-impact scenario. Interactive online training sessions cover a variety of security topics including awareness training, cyber attacks, types of phishing and more. The results of these simulated exercises should be reported and measured to benchmark employees vulnerabilities, phishing and training results and user actions. Use this data to continue to modify your program based on the needs, strengths and weaknesses of employees.