In the past, security awareness training for user education—i.e. empowering users to make more savvy IT decisions in their daily routines—was considered a “nice to have,” not a necessity. The decision to adopt user education was typically passed over because of budget, lack of in-house expertise, and the general lack of availability of high-quality, low-cost, computer-based training. In particular, small- to medium-sized businesses (SMBs) have suffered from these types of constraints, compared to larger, more resource rich organizations.
Today, it’s clear that end user education isn’t just “nice to have,” and SMBs know it. As recently as August of 2017, a Better Business Bureau study on the State of Cybersecurity revealed that almost half of SMBs with 50 employees and under regard security awareness training among their top 3 security expenditures, alongside firewalls and endpoint protection.
The increase in interest and budget allocation for end user education is understandable. On average, SMBs face $80,000 in annual losses following a ransomware or data loss breach. Users are on the front lines of your business, and even the most advanced security can’t stop them from willingly, if unwittingly, handing over sensitive access credentials. If you’re not educating your users, then you are putting your organization at an unnecessary and costly risk.
Here are a few tips for managed service providers (MSPs) and SMBs on getting started with end user education:
Introduce to Stakeholders
Like any new program, building a foundation for success begins when you engage your stakeholders and management teams. Send an email explaining the value of security awareness to management, share details and reports around your first phishing and training campaigns, and loop in IT. Not sure how to craft that first email? Check out
Start out with a Phishing Campaign
Consider starting your security awareness program with a simulated phishing campaign. The results of the simulation can also be used to demonstrate value to any more skeptical or reluctant IT decision-makers. Use the first phishing campaign as your baseline to gauge the level of awareness your end users already have. Webroot Security Awareness Training comes with a variety of template options to help you get started. We recommend using a template that mimics an internal communication from HR or the IT department to get the most eyes on the email. For early campaigns, it’s also a good idea to use Webroot’s “404 Page Note Found” template so users who fall for the phishing lure are unaware. This will help keep water cooler talk at a minimum, giving you a more accurate baseline. After that, be sure to link your phishing campaigns to training pages and courses to maximize the training opportunity.
Share results with End Users
Use feedback to inspire smarter habits. A key objective for security awareness training is to engage end users and raise the level of cyber awareness throughout the organization. For instance, sharing results of a simulated phishing campaign can help employees understand the impact of poor online habits and motivate them to practice better behaviors.
Webroot Security Awareness Training lets admins see who clicked what in a phishing simulation. Bear in mind: the point of sharing results is not to shame the unwitting marks who fell for the scam. Instead, try capitalizing on everyone’s engagement by sharing an overall statistical report, so users can recognize whether they clicked or avoided the phishing lure, without fear of embarrassment. More importantly, such a report would show the statistics around the organization as a whole, opening the door for further training programs to fill security gaps and provide a continuous learning experience.
Continuous Training: Set up your phishing and training program
Once end users are engaged and understand the value, the next step is setting up a training program. There is no one-size-fits-all program, but we recommend running at least one to two phishing campaigns per month and a minimum of one to two training courses per quarter. Depending on the needs of each organization, you may want to increase the frequency and adjust intervals throughout the year. Webroot Security Awareness Training includes numerous pre-built phishing templates you can use, including real-world phishing scenarios (defanged from the wild.) It also offers professionally developed and engaging topical training courses, which you can be proud to share with your company. Courses range from cybersecurity best practices and 5-minute micro-learning courses to in-depth compliance courses on PCI, HIPAA, GDPR, SEC/FINRA, and more.
When you start seeing the significant impact that relevant, high-quality, and proven security awareness education has on your employees, you’ll wonder how your business ever managed without it.