Why Every Organization Needs an Annual Security Awareness Training Program

So one thing that we've seen be very successful is to have a security awareness program that's actually ran as a thematic campaign. Meaning that security awareness will be ran successively month after month or quarter after quarter potentially with overlapping themes or brand new themes, not only to keep people engaged, but to also make sure that it's either a refresher for those that have been with the company for a while, or in the case of employee turnover, that we're making sure we're doing our due diligence training new employees on best practice as it pertains to security awareness. So we spoke to the element of employee turnover and the fact that on average we should expect employees to come and go.

We also want to make sure that we're keeping security awareness top of mind, and the importance of the chain of custody with respect to data and employees' responsibility for that data fresh. And in doing so, we not only recommend doing something every year, but also making sure that it's top of mind or kept front of mind, and that's tying back to the thematic approach that we mentioned a minute ago. Now, we also have an ever-changing security landscape. Personally, I like to consider it sort of a co-evolutionary arms race between the attackers and the folks that are trying to maintain security best practice and keep things secure. And to that end, we always make sure to keep your content fresh.

Generally, either if it's homegrown or you're using a vendor, you want to make sure that there's a process for updates and upgrades to make sure that you are getting the most relevant data as it pertains to not only the attack vectors that exist in the marketplace, but ongoing trends that are being seen in the industry, and it could be to your particular vertical or just the industry in general, which is why it's important that you look for vendors or potential solutions that cover a myriad of different topics and topical focus areas to ensure that everything is covered, whether it's, again, your particular industry vertical, your particular market, the particular size company, your addressable customer audience, and so on and so forth.

And just as important, you want to make sure that you're testing for the efficacy of your program. So you want to make sure that your program is working. One thing that we have seen work pretty well is simulated phishing attacks post-training. So we want to really test to make sure that employees are actually adopting the knowledge that they learn through this ongoing training. And we've seen that generally speaking, it takes three training events before a student really picks up the knowledge, after which about 50% have a really solid takeaway based on the security awareness training. And simulated phishing in the context of security awareness training particularly user credentials is a great way to ensure that that knowledge is adopted and that your security program works. That's all we have today for Whiteboard Wednesday. Check us out at rapid7.com. We actually have security awareness programs that could work well for your organization. Thank you.