Integrating Security Awareness Training Into Employee Onboarding

October 1, 2020
| |
4 min read

Training your team on security awareness is an essential part of a successful security program. And, new employee onboarding is an optimal time to introduce your staff to your security best practices.

This is in large part due to the fact that they likely won’t know your company’s protocols for secure information nor how to securely navigate internal systems. Therefore, new employees will need guidance through the best approach to systems and processes. Here are some keys ways to incorporate cybersecurity awareness training into your program. 

What is Security Awareness Training?

The purpose of an effective employee onboarding program is to provide essential information and organizational socialization. During this time, organizations have an opportunity to go beyond meeting compliance regulations and helping employees to complete benefits enrollment paperwork.

The Society for Human Resource Management (SHRM) report “Onboarding New Employees: Maximizing Success” highlights research findings on the effectiveness of new employee onboarding practices. In the report, researchers found that formalized onboarding programs with a defined timeline and tasks are more effective than less structured (and no-structure) programs.

The report also found onboarding content planned ahead of time and delivered at the right time, fared better than other, less structured, teaching methods. Security awareness training benefits from a similar structure of regular lessons planned in advance. You can use the new employee adjustment period to build a team of security-aware employees while helping them become better acquainted with their new position. 

Making the Security Team Part of Onboarding

New employee onboarding should include security awareness training relevant to access level, understanding and experience.

Training also should account for the different types of attacks that might target users with different access levels. Higher-level access could be targeted in different ways than users with limited systems access.

According to the 2020 Cost of a Data Breach Report, stolen or compromised login credentials were the costliest kind of data breach. In addition, the data breach lifecycle from sighting to containment averaged 280 days.

Therefore, the security of basic employee tools, such as logins, also must be on everyone’s minds. New employees are likely to have varied histories and knowledge of best practices. It’s important to design content that meets the needs of new hires at all levels.

Making security relevant for each employee helps them retain what they’ve learned. Consider making content that focuses on the security around common tasks that may be completed in the early days of employment. 

Enabling Employees to Report Problems Easily

Social engineering and phishing tactics tend to take advantage of employees’ lack of knowledge around how company processes and systems work.

Therefore, you should empower your employees to become active players in company security efforts. Wherever possible, remove barriers to reporting suspicious events. Employees should be able to easily report issues, such as suspicious emails.

Additionally, train new employees on helpdesk support processes so they know what to expect. This kind of training can help new team members avoid phishing or social exploit attacks that use helpdesk response tactics. 

Train for More Than Email 

Phishing is no longer a problem found in email alone. Employee access and data could be targeted across devices and platforms. Consider additional phishing training exercises for new employees. The first lessons can cover general phishing attacks, as well as what attackers might be looking to gain from an employee. 

Be sure to plan for ongoing training exercises. A recent study found that cybersecurity awareness and phishing training results wear off after a few months. It’s important to run an ongoing training program, as the threat landscape continues to evolve year-round. 

Make Onboarding Steps Clear and Simple

Employers should avoid creating confusing and complicated rules and online best practices. That doesn’t mean make training less rigorous. Instead, focus on teaching common tasks and systems. Include online best practices in the initial login or system setup.

Additionally, consider using a first-time user set up wizard or training module that walks users through the process and concisely explains what to expect when speaking with the company’s IT team and systems administrators.

Concise writing is also important at this stage. New hires may ignore highly technical or jargon-filled guides. So, clearly explain systems and provide full descriptions for acronyms used during the workday. 

Help Employees Help Each Other

Some formalized onboarding programs include mentorships. In this case, the company pairs a seasoned employee with a new hire to help them during the onboarding process. Onboarding mentors can help answer questions about common tasks, including requesting technical support, keeping data safe and getting systems access.

Also, consider launching a security ambassadors program. Ambassadors are employees who volunteer to champion security awareness within their respective departments. They provide timely updates to the group and are free to answer questions that may come up. Security champions also aim to advance cybersecurity awareness training objectives within their own departments. 

Consider a data-based approach to improving your program and include a feedback loop for your new employee onboarding process. Update and review security training at regular intervals. Consider input from new employees for future changes. Existing employees should also have a chance to provide feedback on the program. You’ll need input from both groups to get a good look at what works. 

Long-Term Security Awareness Training 

Building a security-aware culture needs to be a long-term strategy and should extend to existing employees, too.

Ensure security training materials are relevant to all company employees’ roles and systems access. Focus on proactive lessons around common tasks that may be encountered early (password reset, system login and others).

Repeat training often to help all employees learn how to be risk-aware at all times and present varied and engaging lessons for better retention. This, along with a security ambassadors program and the other tactics discussed, will empower employees to keep an eye on problems before they arise and make the right choices together. 

Michelle Greenlee
Freelance Technology Writer

Michelle is a freelance technology writer. She has created technical content for a range of brands and publications, including Business Insider, DICE, GE Dig...
read more