How To Build a Strong Security Awareness Program in 2021

Discover security awareness trends and best practices for 2021

Your employees are your first line of defense against cyber security attacks. The strength of your security awareness program depends on every employee in your organization.

As part of your organizational goals and plans for 2021, you need to prioritize building a cyber secure and aware culture. This requires an ongoing commitment from every manager, department, and person in your organization.

In addition, there must be an understanding that effective security awareness isn’t made up of random training sessions or a single quarterly email about phishing.

As a CISO or security leader, take advantage of a new year to focus on giving your colleagues the knowledge, skills, and confidence to recognize phishing attacks, be aware of CEO fraud, and understand how easy it is to be tricked by social engineering.

To help you start 2021 with a cyber-secure mindset, we’ve put together our crucial security awareness program must-haves to help keep your organization aware, secure, and protected. These are the security awareness trends and best practices we use here at Terranova Security to keep our organization and people protected and secure.

Get the Support You Need to Create a Cyber Aware Culture

Successful security awareness programs all have one thing in common – support from all departments, teams, groups, and decision-makers. As a CISO or security leader, you need to get everyone interested and engaged in security awareness, including the C-Suite, human resources, IT department, and every team lead and manager.

People learn by example, and when they see others in the organization getting behind your security awareness program – they will do the same. This interest and commitment to security awareness have to happen at every level and in every department.

Follow these four tips on how to get support for a security awareness program:

1. Get C-Suite Support. Security awareness training requires that employees are permitted to spend time on learning. And employees need to know that this training is a priority for them and the organization. To accomplish this, you need C-Suite support. This support translates to training budget, allocating time to employees to complete training modules, and setting the tone at the top of why cyber security is essential.

Action: show the executive and management team how cyber attacks happen and the potential impacts of password theft, information disclosure and ransomware infection. Set up a phishing simulation for your management team and then meet with them afterward to review the results. Use this as a way to discuss your security awareness plans for the organization.

2. Partner Up. Work with key departments such as human resources, legal & compliance, IT, and managers to build a security awareness program. Explain how cyber attacks happen and why it’s crucial to build a cyber-secure culture. Give them access to resources such as the Cyber Security Hub and The Human Fix to Human Risk

Action: use micro- or nano-learning activities to demonstrate that it doesn’t take a lot of time per day or week to deliver effective security awareness training.

3. Know Your Organization. Talk to employees in every department and at every level. Pay attention to the work habits of your colleagues. Do they understand the BYOD policy or follow your remote working best practices? Do you know how people are communicating with each other and sharing information? Learn about the objectives, concerns and culture of the different teams and departments in your organization.

Action: provide a range of security awareness training and program strategies that address the unique needs of the people, interests, and concerns in your organization. Understand that gamified training, for example, might not appeal to everyone or that some teams are on tight schedules.

4. Communicate. Every successful security awareness program has a team of people behind it. Communicate with managers, executives, team leads, and key colleagues. Keep them updated with the training and awareness program status.  

Action: ask for input, feedback, and ideas. Get people thinking and talking about security awareness training and sharing what they like and don’t like about training. Listen and give people training that fits.

Best Practices for Building a 2021 Security Awareness Program

Your organization has unique needs and people, and this demands a training program designed to the how, why, when, where, who, and what of your organization. Do not use an off-the-shelf security awareness program – create a people-centric program designed for your people. Remember these five best practices for building a security awareness program:

1. High-quality content. People have short attention spans and may not have a rosy outlook for corporate training. Overcome this with training created by security experts that is fun, engaging, and relevant.
2. Personalized campaigns. Each employee must be able to relate to the content. Give people content that is specific to their role and responsibilities. Make sure this content is in their native language and is accessible.
3. Collaboration. Look for a security awareness training provider who wants to be your collaborative partner. Choose a company that uses an advisory approach and is committed to learning about your organization’s needs.
4. Analyze, Plan, Deploy, Measure, Optimize. Success happens when you know where you want to go and how you’re going to get there. Create a well-defined program with measurable goals designed with your target audience in mind and includes topics based on your organization’s risks. Learn about the Terranova Security Awareness 5-Step Framework for raising security awareness in 2021.
5. Custom delivery model. Choose a training delivery model that can be easily incorporated into your organization. The scope, size, and personality of your organization should determine how you deliver training. Talk to your training partner about self-delivery/management, security awareness-as-a-service, and a hybrid delivery model.

Know How To Get Your Users Interested in Security Awareness

Cyber security starts with your employees. You must motivate your employees to want to learn about cyber security threats and risks. Your employees are your first line of defense against phishing, hacking, identity theft, and data breaches. Follow these 10 steps to engage employees in security awareness training:

1. Create custom training campaigns based on the risk profile and knowledge level of employees.
2. Explain how certain behaviors and best practices help them in both their personal and professional lives.
3. Deliver accessible training campaigns that ensure everyone in your organization has the same access to detailed security awareness training.
4. Use a range of training types, including eLearning, micro- and nanolearnings, and gamified training.
5. Use awareness campaigns to stimulate conversion and get people thinking about what they have learned.
6. Collect feedback from your employees on the training and make adjustments accordingly.
7. Let employees test their knowledge with simulations and gamified scenarios.
8. Give employees continuous feedback on what they have learned.
9. Empower your employees by making it clear that they have the power to stop cyber attacks and threats.
10. Recognize good and bad behaviors and provide feedback.

Build a Modern Security Awareness Program for 2021

The COVID-19 pandemic has forced organizations to adjust where people work, communicate and share information, and how products and services are marketed, sold, and delivered. This shift to remote work has put an enhanced priority on giving people a remote working and learning environment that is cyber secure and aware. Cyber security best practices do not stop when people are working remotely or traveling. Your 2021 security awareness training campaign must focus on the trends in how and where people work and learn. Make sure you have training modules on topics such as:

• Confidentiality on the internet
• Protecting your home computer
• Smartphone and mobile device security
• Working remotely and securely
• Reporting incidents
• Privacy and password best practices
• Protecting sensitive information
• Wi-Fi security
• Being security aware

Give your employees easy access to resources such as our Cyber Security Hub. Share This Section On How to Stay Cyber Secure When Working Remotely

How to Stay Cyber Secure When Working Remotely

Cyber security risks and threats do not disappear when you work from home, travel, or work in a coffee shop or other public location. If anything, cyber security risks increase when we change our work habits and adjust to a new routine and environment. To keep you and our organization protected from cybercriminals and threats, remember these keys to staying cyber secure when working remotely:

1. Use our VPN to connect to the network when you need to perform your work duties.
2. Only work on your work computer. Do not share work data and information with your home computer or personal devices.
3. Ensure your computer has the latest applications, operating systems, network tools, and internal software installed.
4. Do not disable malware protection and anti-spam software on your computer.
5. Follow our policies on sharing information. Only use approved cloud-sharing tools. If you’re not sure – ask!
6. Secure your passwords, pay attention to where you enter them and do not reuse the same password on multiple systems.
7. Remember essential cyber security best practices. Remain vigilant and skeptical of all unsolicited emails, text messages, social media chats, and attachments. When in doubt – don’t click.
8. Turn off Bluetooth auto-discovery on all mobile devices.
9. Never connect to a public Wi-Fi network that is not password protected.
10. Even when you’re working at home – do not leave your laptop unlocked and unattended, securely store any printed documents (do not leave them on your desk), and always be click aware.

When in doubt – don’t click, respond, or engage.