Training your team on security awareness is an essential part of a successful security program. And, new employee onboarding is an optimal time to introduce your staff to your security best practices.

This is in large part due to the fact that they likely won’t know your company’s protocols for secure information nor how to securely navigate internal systems. Therefore, new employees will need guidance through the best approach to systems and processes. Here are some keys ways to incorporate cybersecurity awareness training into your program. 

What is Security Awareness Training?

The purpose of an effective employee onboarding program is to provide essential information and organizational socialization. During this time, organizations have an opportunity to go beyond meeting compliance regulations and helping employees to complete benefits enrollment paperwork.

The Society for Human Resource Management (SHRM) report “Onboarding New Employees: Maximizing Success” highlights research findings on the effectiveness of new employee onboarding practices. In the report, researchers found that formalized onboarding programs with a defined timeline and tasks are more effective than less structured (and no-structure) programs.

The report also found onboarding content planned ahead of time and delivered at the right time, fared better than other, less structured, teaching methods. Security awareness training benefits from a similar structure of regular lessons planned in advance. You can use the new employee adjustment period to build a team of security-aware employees while helping them become better acquainted with their new position. 

Making the Security Team Part of Onboarding

New employee onboarding should include security awareness training relevant to access level, understanding and experience.

Training also should account for the different types of attacks that might target users with different access levels. Higher-level access could be targeted in different ways than users with limited systems access.

According to the 2020 Cost of a Data Breach Report, stolen or compromised login credentials were the costliest kind of data breach. In addition, the data breach lifecycle from sighting to containment averaged 280 days.

Therefore, the security of basic employee tools, such as logins, also must be on everyone’s minds. New employees are likely to have varied histories and knowledge of best practices. It’s important to design content that meets the needs of new hires at all levels.

Making security relevant for each employee helps them retain what they’ve learned. Consider making content that focuses on the security around common tasks that may be completed in the early days of employment. 

Enabling Employees to Report Problems Easily

Social engineering and phishing tactics tend to take advantage of employees’ lack of knowledge around how company processes and systems work.

Therefore, you should empower your employees to become active players in company security efforts. Wherever possible, remove barriers to reporting suspicious events. Employees should be able to easily report issues, such as suspicious emails.

Additionally, train new employees on helpdesk support processes so they know what to expect. This kind of training can help new team members avoid phishing or social exploit attacks that use helpdesk response tactics. 

Train for More Than Email 

Phishing is no longer a problem found in email alone. Employee access and data could be targeted across devices and platforms. Consider additional phishing training exercises for new employees. The first lessons can cover general phishing attacks, as well as what attackers might be looking to gain from an employee. 

Be sure to plan for ongoing training exercises. A recent study found that cybersecurity awareness and phishing training results wear off after a few months. It’s important to run an ongoing training program, as the threat landscape continues to evolve year-round. 

Make Onboarding Steps Clear and Simple

Employers should avoid creating confusing and complicated rules and online best practices. That doesn’t mean make training less rigorous. Instead, focus on teaching common tasks and systems. Include online best practices in the initial login or system setup.

Additionally, consider using a first-time user set up wizard or training module that walks users through the process and concisely explains what to expect when speaking with the company’s IT team and systems administrators.

Concise writing is also important at this stage. New hires may ignore highly technical or jargon-filled guides. So, clearly explain systems and provide full descriptions for acronyms used during the workday. 

Help Employees Help Each Other

Some formalized onboarding programs include mentorships. In this case, the company pairs a seasoned employee with a new hire to help them during the onboarding process. Onboarding mentors can help answer questions about common tasks, including requesting technical support, keeping data safe and getting systems access.

Also, consider launching a security ambassadors program. Ambassadors are employees who volunteer to champion security awareness within their respective departments. They provide timely updates to the group and are free to answer questions that may come up. Security champions also aim to advance cybersecurity awareness training objectives within their own departments. 

Consider a data-based approach to improving your program and include a feedback loop for your new employee onboarding process. Update and review security training at regular intervals. Consider input from new employees for future changes. Existing employees should also have a chance to provide feedback on the program. You’ll need input from both groups to get a good look at what works. 

Long-Term Security Awareness Training 

Building a security-aware culture needs to be a long-term strategy and should extend to existing employees, too.

Ensure security training materials are relevant to all company employees’ roles and systems access. Focus on proactive lessons around common tasks that may be encountered early (password reset, system login and others).

Repeat training often to help all employees learn how to be risk-aware at all times and present varied and engaging lessons for better retention. This, along with a security ambassadors program and the other tactics discussed, will empower employees to keep an eye on problems before they arise and make the right choices together. 

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…