Training New Hires on Security: Strategies for Success
The more an organization can tailor security training content to the types of issues that employees may people encounter, the relevant and more engaging it becomes.
![Blue cyber background with a gold lock in the center of the image. Blue cyber background with a gold lock in the center of the image.](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/bltd8b21b62a6d8c3e5/64caea1c1cf9dc233d330cf2/security-g2dc72fbf1_640.jpg?width=1280&auto=webp&quality=95&format=jpg&disable=upscale)
The rise of cyberthreats and the growing complexity of the IT threat landscape means security training for all organizations must be a paramount concern.
Instilling a culture of security starts on day one and partnering with the human resources team to accomplish this is essential -- not just on new hire training, but around the entire workforce security program.
The importance of security is something that needs to be echoed early and often, and ideally, the organization’s commitment to information security will be covered during employee onboarding sessions.
That will be followed with online training that employees complete in their first week on the new job.
Ben Calvert, chief security officer at Proofpoint, says a great way to ensure your training is useful and relevant to new employees is to start with a knowledge assessment. ‘‘That baseline provides a measure of where the learner’s knowledge is most at risk, and the training content can then focus on those areas,’’ he says.
He adds training should also be interactive -- forcing new people to sit through lengthy security awareness training videos or content that isn’t engaging can be counterproductive. ‘‘It could send a signal that security is unresponsive to the needs of employees,’’ Calvert cautions.
Focus on Catered Security Training
Sajeeb Lohani, director of cybersecurity at Bugcrowd, advises security teams to make training catered to the threats and occurrences they see in practice. ‘‘There are vendors who provide this type of training, which can often aid with decreasing the load of creating the entire training,’’ he says. ‘‘However, catering for specific circumstances is often most effective.’’
For example, if you own an accounting firm, you may see a larger number of phishing emails regarding changes to account details, so you’d train people to detect those scams appropriately.
‘‘The most common threat in the horizon would be social engineering and phishing,’’ Lohani adds. ‘‘With companies like Riot games and Zendesk being affected, it’s proving to be an effective method for attackers to reap value.’’
Bambenek says ultimately, every employee should know about phishing attacks as any employee can be a target.
‘‘Beyond that, the key is training being calibrated to the unique threats faced by specific classes of employees,’’ he explains. ‘‘Employees in finance will see various forms of business email compromise or spoofed invoices. IT and security administrators will see spoofing for authentication failures or security events.’’
Training an Essential Onboarding Component
John Bambenek, principal threat hunter at Netenrich, points out onboarding is the time employees are naturally inclined to be learning yet not fully engaged in day-to-day work.
‘‘Making sure security training is up front when there are fewer opportunities for distraction helps,’’ he says. ‘‘HR should make sure this happens as part of structured onboarding.’’
The security teams and threat intel teams should make sure the training is calibrated to risks relevant to those employees -- the key to any training is that it’s relevant to the employee.
Calvert agrees the topics covered in the training should be driven by the security concerns of your organization.
‘‘Find out from your incident response team what types of events are being driven by employee behavior,’’ he says. ‘‘Your human resources, legal, and privacy teams will also have input for you.’’
Lohani says while security is everyone’s responsibility, training around security awareness is generally owned by the security business unit -- more specifically the security outreach or awareness teams.
‘‘If the company does not have a security team, the responsibility often falls upon the IT team,’’ he notes.
A Positive, Gamified Training Experience
Mika Aalto, co-Founder and CEO at Hoxhunt, advises avoiding punitive based approaches to begin new hires experiences with security awareness. ‘‘Most legacy solutions use a one-size-fits-all model that only engages on failed responses, which leads to employees quickly disengaging with the program,’’ he cautions.
New, successful approaches utilize positive, gamified experiences to equip employees and security teams with the skills and tools to recognize and stop breaches before they spread.
He points out 90% of breaches target employees; and the easiest path to a breach is through employees’ email boxes.