Training your team on security awareness is an essential part of a successful security program. And, new employee onboarding is an optimal time to introduce your staff to your security best practices.

This is in large part due to the fact that they likely won’t know your company’s protocols for secure information nor how to securely navigate internal systems. Therefore, new employees will need guidance through the best approach to systems and processes. Here are some keys ways to incorporate cybersecurity awareness training into your program. 

What is Security Awareness Training?

The purpose of an effective employee onboarding program is to provide essential information and organizational socialization. During this time, organizations have an opportunity to go beyond meeting compliance regulations and helping employees to complete benefits enrollment paperwork.

The Society for Human Resource Management (SHRM) report “Onboarding New Employees: Maximizing Success” highlights research findings on the effectiveness of new employee onboarding practices. In the report, researchers found that formalized onboarding programs with a defined timeline and tasks are more effective than less structured (and no-structure) programs.

The report also found onboarding content planned ahead of time and delivered at the right time, fared better than other, less structured, teaching methods. Security awareness training benefits from a similar structure of regular lessons planned in advance. You can use the new employee adjustment period to build a team of security-aware employees while helping them become better acquainted with their new position. 

Making the Security Team Part of Onboarding

New employee onboarding should include security awareness training relevant to access level, understanding and experience.

Training also should account for the different types of attacks that might target users with different access levels. Higher-level access could be targeted in different ways than users with limited systems access.

According to the 2020 Cost of a Data Breach Report, stolen or compromised login credentials were the costliest kind of data breach. In addition, the data breach lifecycle from sighting to containment averaged 280 days.

Therefore, the security of basic employee tools, such as logins, also must be on everyone’s minds. New employees are likely to have varied histories and knowledge of best practices. It’s important to design content that meets the needs of new hires at all levels.

Making security relevant for each employee helps them retain what they’ve learned. Consider making content that focuses on the security around common tasks that may be completed in the early days of employment. 

Enabling Employees to Report Problems Easily

Social engineering and phishing tactics tend to take advantage of employees’ lack of knowledge around how company processes and systems work.

Therefore, you should empower your employees to become active players in company security efforts. Wherever possible, remove barriers to reporting suspicious events. Employees should be able to easily report issues, such as suspicious emails.

Additionally, train new employees on helpdesk support processes so they know what to expect. This kind of training can help new team members avoid phishing or social exploit attacks that use helpdesk response tactics. 

Train for More Than Email 

Phishing is no longer a problem found in email alone. Employee access and data could be targeted across devices and platforms. Consider additional phishing training exercises for new employees. The first lessons can cover general phishing attacks, as well as what attackers might be looking to gain from an employee. 

Be sure to plan for ongoing training exercises. A recent study found that cybersecurity awareness and phishing training results wear off after a few months. It’s important to run an ongoing training program, as the threat landscape continues to evolve year-round. 

Make Onboarding Steps Clear and Simple

Employers should avoid creating confusing and complicated rules and online best practices. That doesn’t mean make training less rigorous. Instead, focus on teaching common tasks and systems. Include online best practices in the initial login or system setup.

Additionally, consider using a first-time user set up wizard or training module that walks users through the process and concisely explains what to expect when speaking with the company’s IT team and systems administrators.

Concise writing is also important at this stage. New hires may ignore highly technical or jargon-filled guides. So, clearly explain systems and provide full descriptions for acronyms used during the workday. 

Help Employees Help Each Other

Some formalized onboarding programs include mentorships. In this case, the company pairs a seasoned employee with a new hire to help them during the onboarding process. Onboarding mentors can help answer questions about common tasks, including requesting technical support, keeping data safe and getting systems access.

Also, consider launching a security ambassadors program. Ambassadors are employees who volunteer to champion security awareness within their respective departments. They provide timely updates to the group and are free to answer questions that may come up. Security champions also aim to advance cybersecurity awareness training objectives within their own departments. 

Consider a data-based approach to improving your program and include a feedback loop for your new employee onboarding process. Update and review security training at regular intervals. Consider input from new employees for future changes. Existing employees should also have a chance to provide feedback on the program. You’ll need input from both groups to get a good look at what works. 

Long-Term Security Awareness Training 

Building a security-aware culture needs to be a long-term strategy and should extend to existing employees, too.

Ensure security training materials are relevant to all company employees’ roles and systems access. Focus on proactive lessons around common tasks that may be encountered early (password reset, system login and others).

Repeat training often to help all employees learn how to be risk-aware at all times and present varied and engaging lessons for better retention. This, along with a security ambassadors program and the other tactics discussed, will empower employees to keep an eye on problems before they arise and make the right choices together. 

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read