Training your team on security awareness is an essential part of a successful security program. And, new employee onboarding is an optimal time to introduce your staff to your security best practices.

This is in large part due to the fact that they likely won’t know your company’s protocols for secure information nor how to securely navigate internal systems. Therefore, new employees will need guidance through the best approach to systems and processes. Here are some keys ways to incorporate cybersecurity awareness training into your program. 

What is Security Awareness Training?

The purpose of an effective employee onboarding program is to provide essential information and organizational socialization. During this time, organizations have an opportunity to go beyond meeting compliance regulations and helping employees to complete benefits enrollment paperwork.

The Society for Human Resource Management (SHRM) report “Onboarding New Employees: Maximizing Success” highlights research findings on the effectiveness of new employee onboarding practices. In the report, researchers found that formalized onboarding programs with a defined timeline and tasks are more effective than less structured (and no-structure) programs.

The report also found onboarding content planned ahead of time and delivered at the right time, fared better than other, less structured, teaching methods. Security awareness training benefits from a similar structure of regular lessons planned in advance. You can use the new employee adjustment period to build a team of security-aware employees while helping them become better acquainted with their new position. 

Making the Security Team Part of Onboarding

New employee onboarding should include security awareness training relevant to access level, understanding and experience.

Training also should account for the different types of attacks that might target users with different access levels. Higher-level access could be targeted in different ways than users with limited systems access.

According to the 2020 Cost of a Data Breach Report, stolen or compromised login credentials were the costliest kind of data breach. In addition, the data breach lifecycle from sighting to containment averaged 280 days.

Therefore, the security of basic employee tools, such as logins, also must be on everyone’s minds. New employees are likely to have varied histories and knowledge of best practices. It’s important to design content that meets the needs of new hires at all levels.

Making security relevant for each employee helps them retain what they’ve learned. Consider making content that focuses on the security around common tasks that may be completed in the early days of employment. 

Enabling Employees to Report Problems Easily

Social engineering and phishing tactics tend to take advantage of employees’ lack of knowledge around how company processes and systems work.

Therefore, you should empower your employees to become active players in company security efforts. Wherever possible, remove barriers to reporting suspicious events. Employees should be able to easily report issues, such as suspicious emails.

Additionally, train new employees on helpdesk support processes so they know what to expect. This kind of training can help new team members avoid phishing or social exploit attacks that use helpdesk response tactics. 

Train for More Than Email 

Phishing is no longer a problem found in email alone. Employee access and data could be targeted across devices and platforms. Consider additional phishing training exercises for new employees. The first lessons can cover general phishing attacks, as well as what attackers might be looking to gain from an employee. 

Be sure to plan for ongoing training exercises. A recent study found that cybersecurity awareness and phishing training results wear off after a few months. It’s important to run an ongoing training program, as the threat landscape continues to evolve year-round. 

Make Onboarding Steps Clear and Simple

Employers should avoid creating confusing and complicated rules and online best practices. That doesn’t mean make training less rigorous. Instead, focus on teaching common tasks and systems. Include online best practices in the initial login or system setup.

Additionally, consider using a first-time user set up wizard or training module that walks users through the process and concisely explains what to expect when speaking with the company’s IT team and systems administrators.

Concise writing is also important at this stage. New hires may ignore highly technical or jargon-filled guides. So, clearly explain systems and provide full descriptions for acronyms used during the workday. 

Help Employees Help Each Other

Some formalized onboarding programs include mentorships. In this case, the company pairs a seasoned employee with a new hire to help them during the onboarding process. Onboarding mentors can help answer questions about common tasks, including requesting technical support, keeping data safe and getting systems access.

Also, consider launching a security ambassadors program. Ambassadors are employees who volunteer to champion security awareness within their respective departments. They provide timely updates to the group and are free to answer questions that may come up. Security champions also aim to advance cybersecurity awareness training objectives within their own departments. 

Consider a data-based approach to improving your program and include a feedback loop for your new employee onboarding process. Update and review security training at regular intervals. Consider input from new employees for future changes. Existing employees should also have a chance to provide feedback on the program. You’ll need input from both groups to get a good look at what works. 

Long-Term Security Awareness Training 

Building a security-aware culture needs to be a long-term strategy and should extend to existing employees, too.

Ensure security training materials are relevant to all company employees’ roles and systems access. Focus on proactive lessons around common tasks that may be encountered early (password reset, system login and others).

Repeat training often to help all employees learn how to be risk-aware at all times and present varied and engaging lessons for better retention. This, along with a security ambassadors program and the other tactics discussed, will empower employees to keep an eye on problems before they arise and make the right choices together. 

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today