Small, growing tech businesses are often slow to launch formal security training. It's no surprise to us! We know from our close work with small businesses that they are experts in the art of balancing the costs and benefits of any new activity. That makes it hard to prioritize creating a brand new security training program for the whole company over building that feature their biggest client has been asking for.
Note: It's hard to prioritize security training, not impossible.
We would like to share the story of how one small business launched their very first formal security program with minimal cost and maximum benefit. What do we mean by that? The stats speak for themselves:
Time to design the program: 2 hours
Cost of materials: $0
Employee participation: 100%
Oh, did we mention the product development manager who spearheaded the project is Chris' daughter? ;)
Make sure to read all the way to the end, where you can download a free template of the materials used by this small business! We think you'll be able to make great use of this template at your own company.
Step 1: Getting leadership approval
Launching something completely new is always hard, especially when it's a security program for a tech company that has survived 11 years in business without one.
The first step in the process was getting buy-in from leadership. There were some indications that the leadership team would be interested in the idea but simply never had time to implement it. For example: the CTO had added a ticket in the product backlog that referenced a client asking about security training as a component of their IT team's review of the contract.
So how was the conversation started?
The product development manager was looped into an email chain in which a member of the support team caught a potential phishing scam. In that situation, a scammer was pretending to be one of the points of contact at a client organization in order to get access to their account. The company's President publicly congratulated the support team member for not falling for the scam, then privately asked the product and technical teams what they could do to ensure luck wasn't their only defense the next time something happened.
At this point, it was clear that it was time to take general security awareness to the next level. Encountering a situation aimed at the company itself provided the push the team needed to consider a program.
But just needing a program wasn't the only lever in play — there was also the time it would take to implement the program to consider. A cost-conscious small business doesn't want to add any additional overhead if not completely necessary.
The product development manager emphasized:
Using publicly available, free resources would significantly cut down on the time and money required to launch the program.
Completing the security training would take team members less than 30 minutes, keeping them away from their revenue-generating daily tasks for as little time as possible.
Requiring an assessment at the end of the training materials would give more weight to the program and make it more defensible in client contract reviews, third-party audits, and certification assessments.
This proposal got approval to move forward.
Takeaways
The company was already security-conscious, just not formally. The lack of a formal training program could be contributed to a small business mindset more than a conviction that a security training program wasn't needed.
A situation that could have ended poorly served as the impetus the company needed to focus more on security. It got personal!
Incorporating the company's cost-saving mindset into the proposed program was a significant contributor to getting leadership buy-in.
Step 2: Creating the program
Once the product development manager got approval to design the new security training program, it was time to get to work.
The parameters were pretty simple:
Keep costs down.
Cover essential, relevant topics for the company's employees.
Include an assessment and store employee results.
She considered many different resources but eventually decided on the materials provided by the Federal Trade Commission specifically for protecting the cybersecurity of small businesses. These materials met the program requirements to a tee: straightforward and short with quizzes about each major topic area.
Then, to add an engaging touch to the materials, the product development manager added a theme! The different topic areas (e.g., phishing, physical security) were called "trails" and the employees were called "hikers." With a young group of employees, a fun theme humanized the process.
To make it easy for the team to complete the training, she put together a one-page Google Doc with the following sections:
Why security awareness training was important for the company
Step-by-step instructions for completing the program
Links to the materials employees would need to complete the program, including the reading materials from the FTC site and the drive they would upload their quiz results
Does that sound like it would be useful for your own security program? We've got a template based on that one-page instruction sheet for you here:
In total, preparation of the training materials took about 2 hours. Not bad!
Takeaways
Using free, publicly available materials from a government agency saved the company money and instilled confidence in the program.
Finding pre-designed quizzes that paired with the reading materials sped up the process of putting the program together.
Introducing a theme and a digital "certificate" helped make the program more interesting than a bland, hyper-formal program.
Keeping the instructions for the program to one shareable page supported the impression that the training would not be burdensome for team members.
Step 3: Launching the program
The program materials were now complete. Time to launch!
In preparation for the weekly All Hands meeting, the product development manager did the following:
Asked the President and CTO completed the training program based on the sheet of instructions and implemented their minor feedback.
Added information about the security training program to the employee policies handbook and security policies documentation shared with clients.
Created a template for a "certificate" that could be sent to employees once they completed the program.
At the All Hands meeting, the product development manager introduced the program and spent about 2 minutes explaining why it was important. Then, she referenced the materials and provided links to the materials. The deadline was shared in the meeting as well.
The first completed quiz results were in her inbox by the end of the day.
Takeaways
Asking the leadership team to complete the program using the materials that would be provided to the team, without additional guidance, was a useful 2-in-1 way to get feedback and get leadership buy-in for the program through firsthand experience.
Introducing the program and then referencing the materials reduced the amount of time the product development manager need to spend speaking about it in the meeting.
Step 4: Reaping the benefits
So, how did it go?
The results speak for themselves:
93% of employees completed the program by the deadline, and the remaining 7% completed it when they returned from PTO the next week.
Employees reported that the training took them about 15-20 minutes to complete, and most were able to pass the quizzes on their first try.
The product development manager didn't have to ask any member of the team to redo the training for not following instructions.
But what do we think speaks more highly of the program than any of those statistics?
A few days after a member of the marketing team completed the training program, she screenshotted a suspicious email and forwarded it to the product development manager. She included a note:
Literally hours after earning my certificate, I received the below sketchy email! Good thing I knew that to do!
It doesn't get better than that.
Takeaways
The clear, short instructions made it possible for every employee of the company to complete the program without reaching out for help.
Employees identified the person that they could go to for security questions or pats on the back in the future.
Well, are you itching to launch a program like this at your own company? Download the guidelines template below.
コメント