Like any other information-related feat, implementing a strong information security framework requires People, Process, and Technology to succeed. While our latest information security blogs covered the right process and the right technology, this one sets out to address the people-side of things.

THE PEOPLE-SIDE OF INFORMATION SECURITY

Your employees play an important role in keeping organizational information safe and secure. In fact, a recent study found that 88% of data breaches are caused by employee mistakes.

That high percentage shows that you can have the right processes and technology in place, but if your employees aren’t fully aware of how to protect organizational information, you will still be vulnerable to cyberattacks.

This is a potential risk for all organizations, so it’s essential to take action now – empower your employees to recognize and combat information security threats before they happen. Here’s how:

BEST PRACTICES: INFORMATION SECURITY TRAINING

The goal of training in change management is to equip employees with the knowledge and the skills needed to succeed in the future. That’s why the Prosci®️ ADKAR Model has two stages for training: Knowledge & Ability.

You want employees to know how to change and demonstrate ability to carry out that change moving forward, especially when it comes to information security. You may know the textbook definition of “phishing,” but you may not recognize when it pops up in your inbox.

Provide Initial Training & Education

This is what most organizations already do – train and educate. However, this shouldn’t be treated like a check list item. Rather than disperse one training video to all employees’ emails, use training methods that are interactive and engaging. This can be an eLearning course that provides real-life scenarios to unpack, an instructor-led training session, and/or a virtual Q&A meeting for small groups.

Whatever training mix you choose, make sure your employees gain knowledge of:

1. 1. 1. Why information security is important.
      2. What role they play in protecting the organization’s information assets.
      3. How they can keep those information assets safe and secure.
      4. Where to go for more information.
      5. Who to contact with questions and/or concerns.

Use Hands-On Practice

It’s important that employees take the knowledge gained and put it to practice, which will build up their ability to keep the change day-to-day. This doesn’t have to be some complicated, real-life simulation. It can be something as simple as coming up with a foolproof password, setting up multi-factor authentication, and recognizing “phishy” emails (extra points if you gamify it). Perfecting these small tasks will go a long way in combatting information security risks.

Collect Feedback

After each training and practice session, it’s helpful to collect feedback on:

1. 1. 1. The session’s effectiveness.

Did employees find the content engaging and helpful?

1. 1. 2. The session’s level of comprehension.

Are employees now able to demonstrate a high level of knowledge and ability?

1. 1. 3. Suggestions for future sessions.

What could be done to improve session effectiveness and comprehension?

Covering these three areas will help you gauge what went well and target areas for improvement. If the feedback shows a lack of comprehension on a certain subject (for example, recognizing social engineering attacks), then you’ll know more training, practices, or resources are needed for that subject.

BEST PRACTICES: INFORMATION SECURITY REINFORCEMENT

Change management efforts shouldn’t come to a halt once an employee demonstrates knowledge and ability. In fact, there’s a Rule of 7 that says people need to hear a message seven times before they consider taking action. And even then, it’s natural for us to revert back to old habits. So, the Reinforcement stage of ADKAR is key to long-lasting change.

Make Information Accessible

As you’re rolling out the initial training, it’s important to also make the material easily accessible for reference. This can include a follow-up email to summarize key points, a portal with training guides and videos, and/or contact information for a support group of individuals who can address questions and issues.

Measure Performance

As time goes on, you should continuously measure the success of your information security training and reinforcement efforts. After, you can track:

1. 1. 1. The number and type of information security threats.

Were there less security threats after training and reinforcement?

1. 1. 2. The response to those information security threats.

Did employees respond appropriately to those threats?

1. 1. 3. Pre- and post-knowledge.

How much knowledge did employees learn and retain? This can be tracked through pre- and post-training surveys. You can also administer follow-up surveys periodically to track reinforcement efforts.

Celebrate Wins

If your organization is successful in reducing the number of information security incidents, celebrate that! Part of the Reinforcement stage is visible recognition of what’s going well.

It’s good to remind employees the value of information security training and reinforcement – that it was time well spent. So, recognize the success and let your employees know that they’ve played an important role in protecting organizational information.

KEY TO SUCCESS: PEOPLE, PROCESS, AND TECHNOLOGY

The people-side of things is essential to reducing information security risk, but you’ll need to cover all the bases to achieve success.

Our blog, “Data Classification for Information Security,” covers the process of putting the right controls in place through data classification. And “Information Security in Microsoft Office 365” details the technology available to help secure your information assets.