I got into security awareness over 15 years ago. Back then, cybersecurity training consisted of a lunch and learn with a PowerPoint presentation, and perhaps some donuts to entice people. You may also have had computer-based training where you go through and click ‘next’ repeatedly until you reach a 5-question multiple-choice quiz. That was it. You might remember the information, you might not. Most of the time, if you weren’t interested, you wouldn’t.

The new school approach to security education is based on totally different concepts and includes a variety of different factors. It is not just computer-based training once a year. At its core, the new school version must be engaging and interesting, and needs to appeal to the end-user…especially now that employees are being onboarding and working remotely. 

Onboarding new users remotely vs. in a physical office 

Between the COVID-19 pandemic and the Great Resignation, the world has more people working from home (WFH) than ever before. In fact, according to the Wall Street Journal, only 33% of people have returned to the office since the vaccine rollout. And as more and more people are WFH, organizations face new challenges around onboarding new employees.

There’s also the issue of people leaving. Research shows 55% of employees are considering leaving their current employer this year and two in five (39%) are currently working their notice or actively looking for a new job in the next six months. This churn has the most significant impact on the Information Technology (IT) and Human Resources (HR) departments.

So, what are the unwritten rules of onboarding employees securely? It starts with HR. 

And let’s be honest. Coordinating new resources like laptops, phones, security tokens, ID badges, a desk to work, enrollment into the computer-based training, and possibly On-The-Job Training was hard enough in a physical office. But now? With remote and hybrid set-ups? It’s more complex. 

Not only do HR & IT departments have to engage the employees, but they have to provide them with their equipment on time, ready to go on Day 1, to prevent them from using their personal computer to log into the organization’s resources. 

That’s why, starting in March 2020, HR and IT departments have had to rewrite policies to address the WFH environments. Instead of getting them set-up at a physical desk, onboarding teams have to arrange for the delivery of new employees’ work machines and all accessories like monitors, mice, and other hardware. And that’s just to get them online. 

In-person inductions have been replaced with online training, which means it’s essential that training presentations (whether related to data privacy or company policies) are interactive. HR and onboarding processes must be engaging, tailored, and make new starters feel welcome. 

But, it’s not just the first week or two that’s important. Employees need ongoing training to help them stay connected and safe.  

The importance of security awareness training (SAT)

As employees ramp and take on more responsibility , security awareness and training along with an understanding of their organization’s security culture becomes critical. The end-user should feel a connection to it so that they are compelled to take an interest in security, to make them think twice about clicking a phishing link, or reusing a password. So, helping employees connect with security will drive an overall security culture change. If users don’t relate to it, they’re not going to care. 

New users should receive their first phishing assessment and check their social engineering knowledge within a few weeks of starting. That’s because anyone with an email address for the organization holds a proverbial key to the electronic front door for cybercriminals to access the user’s system, and the organization’s data and networks. Plus, new starters are prime targets for bad actors. 

But it’s essential to communicate these things without invoking fear. 

Phishing assessments shouldn’t be about “catching” people. Humans don’t like to get caught. That can breed anger and frustration. It has to be a learning moment, not a “gotcha!” moment. You have to give people a chance to get better. 

That’s because humans can (actually) be cybersecurity’s strongest asset.

While – yes – well over 50% of data breaches are the result of some kind of human interaction – whether someone misconfigured a firewall or a user clicked on a phishing email… that doesn’t mean that humans are the weakest link when it comes to cybersecurity. It’s not that simple.

A recent report from an identity resource group analyzed a variety of different organizations and their budgets. The report revealed that about 3% of the average organization’s cybersecurity budget goes towards training – towards the human aspect. That’s just 3% on training your developers, training your security team, and security awareness training for employees. 

So only $30k of a 1 million dollar budget would go towards training, and when you’ve got so many data breaches being because of human action, that’s not a lot of money. People love to say that humans are the weakest link, but I think that humans can be the strongest link, and companies just aren’t training them. And it all starts with onboarding. 

How do you keep new employees engaged? 

1. Regular check-ins: Have a daily morning check-in with groups of new hires, whether it’s a five-minute or fifteen-minute call. It’s an excellent opportunity to remind them of everyday events, meetings, and other important information they’ll need to settle in and ramp up. 
2. Keep things interesting: Consider some of the training sessions you must do – accounting, finance, or expenses. It is very difficult to learn if you are only doing it because your boss told you to, and you don’t really care about the subject. One of the best ways to keep new employees engaged is to have separate, “special events” as a part of the onboarding process every day. It could be having virtual trivia based on GDPR requirements, or having the Chief Information Security Officer (CISO) dial-in to do an open Q&A with the new employees. You get the idea.
3. Give away freebies. People like free stuff, and offering up lunch, coffee, or organizing a virtual happy hour (whatever is most aligned with your company culture) is a great way to reward people for their involvement in SAT. For example, a friend of mine is a CISO at a law firm and he runs a monthly contest. Whoever spots the most phishing emails gets their name on the notice board and a $25 gift card for coffee. What has become clear is that the employees could not care less about the gift card! They want to see their name on that list – and they want to see it at the top – it’s a competition for them.