Remember "Do No Harm" with Security Awareness
Security awareness budgets are limited. It is tempting to focus activities based on data. With biased data, we may end up discriminating and poor...
What are the factors to consider when selecting the ideal security awareness training platform for your organization?
Discover the key factors to consider when selecting the ideal security awareness training platform for your organization.
When choosing a security awareness training platform, it is important to consider the skill levels of your employees.
Is there a wide gap where some employees have a high level of understanding of cybersecurity issues and others need help with the basics? Or do most employees have fairly advanced skills? How does the platform provide relevant content for the different skill levels in your organization?
Most security awareness platforms are designed to identify so-called "high risk" employees: employees who may be more susceptible to phishing and social engineering attacks. This is automated with algorithms and requires more or less invasive collection of personal data. Such an approach can make training feel like a punishment for those deemed in need of additional training. Ultimately, it can lead to discouraged and demotivated employees.
In our view, supported by scientific evidence, it is more effective to build your training program around identifying and rewarding employees who demonstrate skills. In CyberCoach, this means allowing each employee to choose whether they want to take a training or try to skip it by taking a skill test. We clarify that it's anonymous and psychologically safe. No one will know if you failed a skill test or if you earned your badge by taking the skill test or training.
Not all employees have the same security awareness training needs. Different roles within your organization may require different levels of training or specific topics that apply to their day-to-day work. It is critical to identify these training needs and ensure that the chosen security awareness platform can accommodate them.
For example, employees in IT roles may need more advanced training on topics such as secure development and configuration management, while employees in HR roles may need training on how to handle employees' sensitive personal information. By identifying the specific training needs of different roles, you can choose a platform that provides targeted content for each group of employees.
With CyberCoach, you can create an unlimited number of role-based learning paths for your organization. You can choose content from our training modules (there is new content every month!) or even add your own.
When choosing a security awareness training platform, it is essential to consider how the platform handles employee personal information and protects their privacy. This starts with considering what is the minimum amount of personal data needed to run an effective training program:
Do we really need to monitor individual employees on the training platform? Do we need to record an individual employee's mistakes? Or would it actually be more useful to understand trends and issues on a group level?
The less data you collect, the less risk there is. With a typical human risk management platform, you may not only store a list of identified "top clickers" or "high risk employees", but also detailed information about what kinds of attacks an individual may fall for. This can put them at considerable risk, if their information leaks.
Every additional third party adds to the risk and the total amount of personal data collected. Not all training data that your organization needs should be shared outside your organization. Carefully consider whether additional integrations and third party apps actually lead to better learning outcomes, and whether you can lower the privacy risk for your employees by limiting data sharing with third parties.
Consider reviewing the platform's privacy policy and terms of service to understand how they handle employee data and whether they share it with any third parties.
Ensuring that your platform allows you to comply with relevant privacy regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), is a minimum requirement. Keep in mind that a platform alone cannot be "compliant" with any regulation. You must ensure that the way your organization uses it is compliant. Too often, companies fail to provide employees with transparent information about data collection and their privacy rights.
Many security awareness platforms today use AI algorithms to, for example, individualize content or target specific employees. Using AI to process employees' personal data requires even more assessment and documentation from an organization. At minimum, the use of AI algorithms needs to be transparent to employees. It may also be subject to additional regulations, such as the AI Act in the EU.
Look for platforms that allow employees to control their personal information and provide opt-out options. CyberCoach is designed to provide the most comprehensive learning platform with minimal employee data collection. Employees can ask questions and learn completely anonymously, and share their training completion only after they have successfully completed their training. Organization administrators can see who has completed mandatory training and who has not. All other learning analytics are at the group or role level. No identifiable personal information needs to be shared outside the organization.
An effective security awareness training platform should fit seamlessly into employees' daily routines. Look for features such as short training sessions that can be completed during breaks or downtime. This allows employees to learn at their own pace without disrupting their work productivity.
Consider whether the platform offers mobile compatibility, as many employees use their mobile devices for work-related tasks. A mobile-friendly platform allows employees to access training materials on the go, making it convenient and accessible. In addition to providing a seamless mobile user experience, CyberCoach offers the ability to switch devices even during a training session. Sometimes it is not possible to complete a training session in one sitting, even if it only takes a few minutes. An employee can return to a CyberCoach training later on the same device, or, for example, complete a training started on their laptop on their mobile device on the way home.
Considering Current Tools and Devices
When choosing a security awareness training platform, it's important to look for one that can integrate with the tools you already use to streamline the training process and make training easily available. CyberCoach is available directly through Teams or Slack chat, or through any browser. This integrates learning into the platforms employees are already spending time on, bringing it a simple click away.
Ready to put your employees first and try modern role-based learning?
Security awareness budgets are limited. It is tempting to focus activities based on data. With biased data, we may end up discriminating and poor...
There is some good in this world, and it's worth fighting for. Our CEO, Maria Bique, was selected as the role model of the month April by Women4Cyber...
Discover how targeted security training can empower your sales team to build trust with customers and how we train our salespeople at CyberCoach.