How .legal conducts awareness training: Tips & Tricks

Struggling to kickstart your awareness training? Every company is unique, but here’s our take on how to create the best possible starting point!

Introduction

Awareness training in a company is essential and beneficial, as supported by many experts. Studies indicate that 68% of security breaches result from human error, emphasising the need for employee training. This involves providing them with the essential knowledge and skills to identify and mitigate potential threats effectively. Providing employees with this training ensures that they are equipped with the knowledge and skills necessary to protect both themselves and the company.

Stranger danger?

Technology is constantly evolving, and everything is becoming more and more digital; this also leads to an increased need for security measures, where employees can be the deciding factor between being attacked or not. Studies indicate that about 62% of economically motivated incidents involve ransomware or extortion, highlighting the importance of being aware and prepared for potential threats. This helps prevent significant financial and organisational losses, as a security breach typically results in an average loss of DKK 330,000.

It's about creating culture

Such losses can be damaging for a company, which is why it is important to focus on awareness training; otherwise, a phishing attack can escalate into a larger incident than it might have been.

how-to-be-gdpr-compliance

Effective employee training goes beyond a single course on potential threats. It involves fostering a culture of awareness within the workplace, continually informing, educating, and reminding employees. This approach ensures that the training is meaningful and beneficial for the organisation.

Consider a situation where an employee inadvertently clicks on a phishing link. If the employee fails to report this incident, an unauthorised user – the hacker – may gain access to the organisation's systems. This could lead to severe consequences, such as the installation of malware or the execution of a DDoS attack, resulting in significant damage to the company. Such an outcome might have been prevented if the employee had promptly notified the appropriate personnel about clicking the malicious link. Another scenario is that the employee does not know that the link is dangerous, and therefore is not aware of the consequences of clicking on it – which might be even worse!

From compliance to competence

ISAE-audits

This example shows the importance of awareness training. It is essential that employees understand what they are dealing with to such an extent that they know what to look for and how to react to it. To accomplish this, they must be informed about potential threats and attacks they may encounter in their daily work. Furthermore, employees should be well-informed about the organisation's security policies and acquainted with industry best practices. This can be effectively achieved through engaging methods such as interactive quizzes. The three pillars of informing, educating, and remembering constitute the foundation for the most critical elements of awareness training and are essential practices that all organisations should adopt. ...and you simply can't ignore that repetition works!

Another crucial aspect of awareness training is fostering a culture of openness in the workplace. If an employee is hesitant to report a threat initially, other training may not be effective or even relevant. Hence, it is important for both employees and leaders to adopt a culture of openness and ensure that everyone feels secure in reporting potential threats. This also includes a clear message from management on what to do if such a situation arises.

Do you need help optimzing your workflow in relation to awareness? Try .legal’s audit module and much more right here👇🏼

What do we do at .legal?

Initially

At .legal, we prioritise good cyber hygiene, valuing efficiency and quality assurance in a single solution. As part of our awareness training, we utilise our own compliance platform, including our annual wheel for relevant topics and our internal audit module for quizzes/tests to assess employees' understanding of the training content. This ensures we present practical topics that our employees encounter daily. This knowledge is tested through the audit module, where they can identify their strengths and potential areas for improvement.

In practice, we prepare a presentation of the month's theme with recorded audio, which is sent out to all our employees. Inspiration often comes from the activities in our annual wheel as well as current trends. The presentation should be viewed within a specified time frame, but besides that there are no restrictions on where or how it is viewed. We prioritise giving employees the flexibility to choose when they can focus on training, which promotes better understanding.

Additionally, it is essential that the presentation includes relevant information for the employees and examples to maintain a realistic aspect. It is essential that employees can practically see how they can use this information. Employees should know what is needed for their daily work and the company's security after training. They don't need to be IT experts, so keep it simple and relevant.

During

After the deadline for viewing the presentation, employees automatically receive a questionnaire through our internal audit module. Here, they are tested on how well they have understood the content of the awareness training. Additionally, this serves as a confirmation that they have viewed the presentation, which may be used as evidence for ISAE 3000/3402 or ISO 27001/27002.

The questionnaire also includes a field where they can provide feedback, suggestions, or requests for this and future awareness training. This feedback is invaluable for those who design the training, allowing them to continually optimise and refine both the content and its delivery.

Afterwards

When an employee completes their questionnaire, the owner of the questionnaire receives an email notification saying that the employee has finished. Subsequently, the owner can see the employee's overall score and risk level, as well as the individual answers to the questions, which can provide an indication of how successful the awareness training has been and which topics should be included in the next training.

The Road from "Oh no" to "Aha!"

We have gathered some useful tips on how to get the most out of your awareness training, including things you should be mindful of to ensure the best outcome.

💥 Get everyone on board – including the boss! It is important that everyone is equally engaged in the training and that everyone actively participates, regardless of who they are.

💥 Prioritise awareness training. Some choose to deprioritise the preparation time for awareness training, which ultimately results in poorer learning and a less secure company. It’s therefore important to allocate both time and resources for the training.

💥 Raise awareness of the plan. Make sure employees know what their individual responsibilities are, as well as the company’s overall security goals. This helps increase individual engagement, as employees feel a sense of ownership over the process.

💥 Keep it simple and relevant! Many awareness trainings become long and difficult because of the use of technical terms that may require explanation. This could be a waste of time and maybe even decrease employee focus. Be sure to only cover what is relevant and tangible for the listeners.

💥 Break up the training. Don’t try to cover the entire awareness training in one go; instead, choose relevant topics to address continuously throughout the year. This ensures that the training remains maintained, is easier to apply, and stays up to date.

💥 Remember interactivity! Several studies show that interactive learning helps with better retention – so feel free to use quizzes, role-playing, discussions, and similar activities that can increase engagement and improve memory. This could also include phishing simulations or something as simple as hanging up posters about security in the office. Ultimately, it’s about keeping the interest alive!

💥 Make it easily accessible. To achieve the best results, the training (and potential quizzes) should be easily accessible to employees, allowing them to integrate it into their daily routine and access the material when they have the time and energy. However, it’s also important to set a deadline to encourage employees to complete the training within a specific timeframe.

💥 Get better. It’s important to remember that significant achievements take time. Be sure to gather feedback from employees to identify what worked and what didn’t, and adjust the content and methods accordingly.

Still unsure on how to get started?

You can begin your journey by reading our article about what awareness is, or dive into other articles in our awareness universe below👇🏼

Awareness Training

Are you looking for more articles on your Awareness Training research? Or are you curious to learn more about compliance solutions? Explore our article series, where we dive deep into the topic.