3 things every IT security training session needs

Training users isn’t easy. Heck, even finding the time to do it is difficult. But the security awareness they bring out of a session will pay off if it leads to smarter behavior online. 

Here are three things every training session needs in order to be effective – whether it’s conducted in-house, by an outside vendor or online.

1. An interactive component

Reciting rules or flipping through PowerPoint slides doesn’t lead to good security behavior. Users need to actually have hands-on experience during their training sessions and the ability to interact with the trainer or others.

Even something as simple as a group exercise to think of and discuss potential security threats they have or might face, then discussing ways those threats can be addressed. Or you could show two emails, one phishing attempt and one real, and ask users to spot which one is fake and why.

The important thing is that they’re active participants in training, not being lectured to.

2. Something to do right away

Training can’t be abstract ideas alone. Workers need something they can do the minute they return to their desks to spark security change right away.

It doesn’t have to be a major security overhaul. Changing passwords, adding a passcode to a mobile device, or setting filters on their email are some examples of small steps users can take that will make them think about what they learned in the session.

And in the larger sense, what they learn in those training sessions should be something they practice from the minute they get back to their work stations going forward.

3. Good followup

Training sessions often fall short by being too isolated. A great training session is designed beginning-to-end, delivered effectively … and then forgotten by nearly everyone in attendance.

There needs to be followup on training if there’s any hope of it sinking in.

Some ways you can do this:

  • Email reminders. The most basic form of follow up, sending a reminder of what was covered, is a safe bet. These reminders can be spaced out so that by the time workers begin to forget what they learned, it’s pushed back into their minds.
  • Tests. Either formal quizzes or fake phishing emails can be a way to make sure the lesson sunk in. If users are given security info then have to prove what they learned, you’ll be able to see what worked in the session and what didn’t.
  • News alerts. This is a powerful way to prove a point. If you see a news story of a high-profile breach or security incident that was caused by something you covered, send it out to users with a reminder of why practicing what they learned in the session was so important.

Do you train users at your organization? If so, have you found any strategies that work well? Share your feedback in the comments section below.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy