How often should we enrol our users in new courses?
We recommend a frequency of one course once per month.
Think of Awareness Training like fitness training. To see the most optimal results, you are going to want to train on a regular basis. If you train intensely for two weeks but sit on the couch the rest of the year, that training won’t have a significant impact.
Assigning courses at a moderate interval will help keep your employees’ cyber security and GDPR muscles strong and capable of maintaining good habits.
What are the Pros and Cons of training on an ongoing basis ?
Allows for the training to have a larger impact on forming good habits and will help to keep cyber security and GDPR issues prevalent in your colleague’s consciousness.
This requires a certain amount of dedication and resources to the program, as Awareness Training requires an administrator to enrol users to new courses and follow up with those users who have not yet completed all of the training. See tips for this in the section “Follow up on the Awareness Training.”
What are the Pros and Cons of training on a more intense but less frequent basis?
Does not require continuous administration of the Awareness Training. Those that choose the “one and done” method, can save a bit of time on assigning courses, and will have a slightly easier time keeping track of everyone who has not taken the training.
The phrase “out of sight, out of mind” applies here. The thing about cyber security, and especially the GDPR is that these topics and processes are so new to organisations that many employees do not actively think about how they use their IT devices and how their actions in cyberspace can have major implications for themselves, the people whose data they handle and their organisation. Simply put, for many cyber security and the GDPR are not fixed installations in their awareness. By assigning a new course each month, it is more likely that behavioural changes will occur.
What can I do to make sure my employees complete their assigned courses?
There are four pillars to making sure employees complete their assigned courses:
- Good communication
- Support from management
- Obligatory training
- That there is follow up on the assigned training
This pillar is a vital step to set your Awareness Training up for success. Creating a framework for your employees to understand the goal and importance of it is key. If your colleagues don’t understand the value of Awareness Training, they will lack the motivation to take the training and might even view it as a waste of time. Therefore, we recommend taking the following steps:
- Send THIS company wide email out starting the training
- Before enrolling your users to a new course warn them beforehand and give them some context
Your colleagues will now be prepared for the task at hand and know what to expect in addition to knowing that each course only takes between 5-7 minutes to complete. Keep in my mind that the more work you do in the beginning, the less work you will have to put in later.
Support from Management
Cyber security and GDPR Awareness Training are generally seen in many organisations as “nice to have” but not “need to have”, even though a good training program is a cost-effective way of preventing a myriad of risks. Much like any other type of initiative without support from leadership, your program is less likely to have a significant impact. However, if the CEO introduces the Awareness Training to the company, employees are more likely to see the program as vital and will hold a sense of urgency.
Most likely you and your colleagues already have a full workload. If the training is not required, they might not carve out the time to complete it. The success of the training is also reliant on EVERYONE in your organisation having good habits around cyber security and the GDPR. You can think of cyber security threats like a virus. If only one person is vaccinated, the virus can still spread to everyone else in the company and compromise it. It’s important to have herd immunity.
Like most training platforms, our e-learning platform automatically sends out reminder mails every week to all those who have not completed the assigned training. We have found that following up internally makes a big difference. This is an important aspect of ensuring that everyone in the organisation has the tools to fight cyber security threats and security breaches. Our e-learning platform has a reporting tool that makes following up easy. Here is a guide on how and when you should follow up on the assigned training.
(If you already use our platform, you can read this article on how to use our reporting tool HERE)
After two weeks pull up the report: “Follow up on users who have not completed all the assigned training”
After a week pull the report again. This time you should send an email that is firmer than the last one.
After another week pull the report and send out another reminder email. This time you can really stress the importance of taking the training. You might even suggest taking the training with them.
At this point you might still have 5% of employees who have not taken the training. You could book them for a meeting to take the training with them. Get some back-up by asking their supervisor to increase the pressure etc..
Just remember, Awareness Training is all about creating good habits. The more these good habits become incorporated into daily work-life, the less you will have to do to make sure your colleagues take the training. Investing time in creating systematic follow ups will pay off later.
Is there any way to measure the success of the training?
There are both quantitative and qualitative ways to measure the impact the training has on your colleagues.
- You can measure based on what percentage of the organisation is taking the training.
- Although awareness can be a hard thing to measure, you can measure whether there has been an increase in inquiries regarding security breaches since the start of the training. Just note that an increase in reports of security breaches could also mean that the training is in fact working because employees will notice more when things are done in accordance with the GDPR and safe cyber security practices.
- Try a phishing simulation as an add on to the Awareness Training. You can test out whether your employees are prepared for phishing emails with our simulated phishing attacks. Some customers like to administer a phishing campaign around the start of their Awareness Training and again after six months. This way they can not only measure if the training is working but also train phishing attacks so that your colleagues can learn to spot and report real attacks. You can read more information about Phishing training here.
- You can also try to send out a company wide anonymous survey about the training. You could e.g. ask them how they feel about the training or if they’ve feel like they’ve become more aware of cyber security and personal data in their everyday lives.
- Another way to get a sense of whether the training is working is by looking out how your colleagues approach the IT department. For example, are they frustrated when they are prompted to create a new password, or do they understand why this is important?
Note: If your completion percentage is higher than 80%, you are doing better than our average customer. You can find more information on measuring the effectiveness of awareness training right here.