Introduction
Security training is a critical component of any organization’s cybersecurity program. However, conducting training once or only annually is not enough to ensure employees retain what they have learned. Refreshers and ongoing education are key to reinforcing security best practices and keeping security top of mind. In this article, I will discuss techniques to make security training stick through the use of refreshers and supplemental education.
Conduct Frequent Refreshers
Rather than delivering training in long, intensive sessions, it is more effective to break it up into smaller chunks spaced out over time. Frequent refreshers will help reinforce concepts and procedures.
Here are some techniques I have found effective for refreshers:
-
Lunch and learn sessions – Short 30-60 minute sessions held monthly or quarterly to review key topics. These informal gatherings held over lunch help keep security on employees’ radars.
-
Microlearning – Breaking training into bite-sized pieces that can be consumed on-demand. Short 3-5 minute video lessons or interactive modules distributed weekly or monthly.
-
Refresher emails – Send regular reminder emails calling out key security best practices. Include relevant examples and anecdotes to reinforce lessons.
-
Games and contests – Gamification makes training fun. Friendly security challenges, quizzes and competitions help drive retention.
Vary Training Methods
Delivering training in a variety of ways will help reinforce lessons and appeal to different learning styles. Alternate between different formats to keep things fresh and interesting.
-
Instructor-led training – Good for delivering initial training and ensuring comprehension. Should be paired with follow up refreshers.
-
Online training modules – Interactive, self-paced eLearning is convenient and scalable. Ensure they are brief with knowledge checks.
-
Webinars/video – Allows remote delivery of training and subject matter expert presentations. Keep videos short and focused.
-
Hands-on exercises – Scenario simulations, cyber ranges and tabletop exercises provide applied practice and build muscle memory.
Supplement With Continuous Education
Complement formal refreshers with a steady stream of tips and material to foster a security-aware culture:
-
Posters & signage – Place eye-catching reminders about threats, policies and controls around work areas.
-
Newsletters – Curate relevant cybersecurity news and need-to-know info in a digestible periodic newsletter.
-
Lunch talks – Bring in external guest speakers or host brown bag sessions for informal sharing of security topics.
-
Contests & events – Participation in cyber months, awareness days and friendly competitions keeps enthusiasm high.
Track Training Completion
You can’t manage what you don’t measure. Use a learning management system or training platform to track completion rates across the organization. Ensure leadership has visibility into training activities.
Conclusion
One-time security training is not enough. A mature cybersecurity awareness program uses ongoing refreshers, alternating training methods and continuous education to drive retention and behavior change. Short, frequent training activities create “touch points” to reinforce critical skills and knowledge. Varied formats cater to different learning styles and keep things interesting. Supplement formal refreshers with informal sharing of information to foster an organizational culture that values security.