If there’s one universal constant that we can all rely on, it’s human error. To err is human. Unless you’re not human at all, every single person on the planet has made a mistake and that’s nothing to be ashamed of because hey, it happens. We can forgive dropping desserts you’ve spent all morning making or accidentally cutting that guy off on your way to work.
But what does human error look like in the workplace? It’s essentially someone doing something they shouldn’t have, unknowingly. That can include clicking on a malicious link, downloading malware, or forwarding on sensitive data to a threat actor disguised as a colleague.
Yet for something as innocuous as an “oopsie” mistake, actions like these can have a big impact. IBM’s Cyber Security Intelligence Index Report for 2022 revealed that successful phishing attacks still remain one of the top attack vectors threat actors leverage to gain access to a company network, accounting for 41% of breaches in 2021–an increase from 33% from the previous year. Furthering on from this, 95% of all breaches usually stem from human error.
So, how do you combat honest mistakes? The answer is security awareness training.
Security awareness training (SAT) is a form of cybersecurity training that educates users about potential cyberthreats they may encounter while working, and teaches them how to achieve best practices and stay secure.
However, like with every other sector in cybersecurity, the SAT market is oversaturated. Wherever you look, it feels like there’s hundreds of vendors offering the same thing. In that instance, how are you supposed to choose? Well, while there may seemingly be too many to choose from, not one vendor is the same as the next and not every single vendor out there is going to have the perfect solution for your business.
For more on SAT and how it works, check out our other article on SAT here:
Why Is Security Awareness Training So Important For Businesses?
With that in mind, there are a few questions you need to ask yourself, your team, your users, and the vendor’s sales team you’re interacting with, that can help you be sure you’re choosing the right solution.
Let’s dive in.
How Is The Training Delivered?
This question is perhaps the most critical one you can ask when you’re window shopping for a new SAT solution. While there are plenty of vendors in the market, how the training is actually structured and delivered is where they begin to differentiate.
Modern SAT programs are usually comprised of a blend of interactive videos, presentations, and quizzes that educate and test your users. But some more traditional providers offer SAT solutions that focus less on interactivity and quizzes and more on lecture-style ways of learning. By and large, the majority of people tend to be more receptive to kinaesthetic learning–i.e., learning by doing. By having your users interact with the training, it helps them to learn faster. Kinaesthetic learning and performing quizzes also help your users to think critically and independently–a vital skill to have when they’re presented with a real phishing email in their inbox and it’s down to them to make the call on whether it’s legitimate or not.
How the actual bulk of training is delivered can differ as well; some vendors will offer training in short, repetitive bursts that make it easier for users to take in and make it more memorable, while others offer day-long training events quarterly or annually. Generally, short bursts are preferred. Education in this format is referred to as “microlearning”, which helps users retain information through bite-sized, repetitive training.
How Frequently Is The Product Updated?
Wherever cybersecurity advances, we can assure you that attackers are not far behind. Attacks are advancing and threat actors are consistently finding new ways to manipulate users into falling for phishing scams or creating more enticing copy to get users to click on links to malicious websites. New zero-day threats are emerging, well, every day, presenting new challenges for users, admins, and tech experts alike.
Basically, threat actors are advancing all the time. Your SAT should be doing that as well.
For your users to stay a step ahead of the curve, they need to continue with up-to-date training. It’s important to ask vendors how frequently–if at all–theit SAT platform gets updated with new content covering new and developing topics. Look for vendors that add new content regularly (and whether they make it freely available if you already have their platform purchased), and avoid vendors that don’t.
How Frequently Do Users Need To Go Through Training?
Admins need to ask both themselves and the vendor how frequently they think users will need to go through the training and what the company can support. Users can’t complete training too frequently, as this distracts them from their work and impacts their productivity. At the same time, training needs to be regular and frequent enough that it stays relevant, and your users retain the information.
Asking the vendors’ sales teams about how frequently training modules can be deployed, whether it’s customizable, and what they would personally recommend for that platform is a great way to find out how frequently–or infrequently–your users need to go through security awareness training.
How Can You Demonstrate Users Are Improving?
Visibility is important. It’s no good to just have your employees complete their training and any subsequent phishing simulations and not find out how they got on, if they passed, or what they struggled with. Particularly good SAT solutions will offer in-depth insight into each and every user’s progress along the training, detailing exactly which modules an individual has completed, what they’re still working on, and what they need help on if they’ve failed sections of the training. In-depth reporting and analytics should also be part of the phishing simulation tool, showing admins exactly who has successfully completed the simulation and who failed it–and how admins can support those who have failed with further training.
How Complicated Is It To Set Up?
It can be incredibly frustrating getting excited and going ahead with a product, then realizing how much time, effort, and resource the platform is going to need just to get up and running. The strongest SAT programs are easy to install and run, and phishing simulations should be deployed automatically after training is complete. Asking the sales team how complicated the platform is to set up and run is really important.
It’s also worth finding out whether the vendor has a strong support team. Check reviews of vendors to see how difficult it was for others to set up the program and how they found the support that was offer to them–or if any support was offered at all.
How Fun Is It?
While cybersecurity may be a serious issue, that doesn’t mean your users can’t have fun while learning about it. Let’s face it, your users don’t really want to have to sit through reams of information about cybersecurity. But when the topic can be so cut and dry, how do you make it fun?
The answer is gamification. Gamification is the idea of applying game-like elements (i.e., introducing quizzes, point scoring, rules and activities) to other things, in this instance security awareness training, to make it more palatable and engaging. Gamification can take multiple forms within an SAT program, such as through fun and colorful animated videos, quizzes, games, and competition aspects.
The gamification of SAT platforms is becoming more and more popular, as it makes the training more digestible for learners, meaning they’re more likely to actually engage with the program and remember the content. Gamification also aids in developing users’ problem-solving skills–an important trait to have when they’re left to their own devices and have to make a call on a potential phishing email themselves.
Look for some tell-tale signs that the SAT vendor you’re looking at may offer something a bit different. Signs of gamification include highly stylized animated training videos, gaming aspects, and interactive aspects in the training program.
Does It Include Phishing Simulations?
Phishing simulations are essentially fake phishing emails that are sent out after SAT is completed. They aid employees in their education in the fight against cyberthreats by reinforcing some of the training they received during their security awareness training.
The idea of sending out phishing simulations to your users is to keep them alert to danger and to monitor the impact the training has had on each user and user group, so that you can assign further training where needed.
Some SAT vendors offer phishing simulation as part of the package–however, some don’t. Before finalizing a purchase, make sure that phishing simulations are included, if that’s something that your organization would like to implement. And if you just want to implement training without simulations, make sure you aren’t going to be paying extra for a feature that you won’t use.
For more on phishing simulations and how they actually work, check out our blog below:
How Do Phishing Simulations Work And How Can They Help Your Organization?
Does The SAT Solution Automate Phishing Simulations?
If you do want to carry out phishing simulations, asking this one is important. After going to the hassle of installing and deploying a SAT program, it can be a hindrance for already overstretched admins to then have to continually deploy and manage a phishing simulation program on top of that. In addition to having an inclusive phishing simulation tool as part of your SAT platform, it’s good to ask–and look out–for solutions that have a “set it and forget it” function for phishing simulations. Good SAT solutions that incorporate phishing simulations will allow for the simulation to be automatically sent out after the user has finished their training.
How Customizable Is The Platform?
Customization is key in delivering a successful program that is going to be relevant for your users. For example, the program may need to cover topics that are relevant to certain roles in your industry–what might be useful for users who work on the factory floor in a warehouse might not be useful for the communications and PR team in head office.
So, good SAT solutions should have strong customization capabilities, and this should also extend to strong customization for phishing simulations. Phishing simulation platforms should come with lots of customizable email templates, meaning admins can create highly specific and believable phishing emails to test their users in a way that will be more beneficial.
How Are My Users Going To Respond?
Lastly, your users are the focal point of any SAT program and how they will engage with and respond to the SAT platform is absolutely critical in swaying a purchasing decision. After all, they’re the ones that are actually going to be doing it, so it needs to be something that they’re going to respond well to.
A team of older, more established workers may not receive anime-style training montages very well. Nor might a younger workforce take in cut-and-dry training videos presented by someone with a tucked-in shirt. And not only does it have to be delivered in engaging in a way, but the content also needs to be something that’s going to be something they personally find useful as well. No one wants to sit through an hour-long training program that isn’t really useful for their role, when they could be getting on with their more pressing tasks instead.
Talking to some of your users (or all if you’re not a particularly big company) is a good way to get feedback on what they would respond well to and what they might–dare we say?–enjoy.
Summary
In any noisy, overcrowded market, it pays to keep in mind what you actually want out of your solution. SAT solutions are no different. The first step is figuring out what your organization and your users need and then go from there, keeping in mind the above questions to ask when reaching out to sales teams for quotes and briefings.
Need a helping hand with a list of vendors before you get started? Check out our buyers’ guide here on some of the best the market has to offer:
The Top 10 Security Awareness Training Solutions For Business
