A common mistake I often see organizations make with their security awareness program is failing to plan long term. Quite often organizations get caught up in the initial roll-out of their training, but forget to plan on updating their program at some point. Its key that you update your program at a minimum once a year. Some things to consider.
- If your only goal is to meet compliance requirements, keep in mind compliance standards are constantly changing, you need to update your program to stay current. In addition, which standards you fall under can also change. For example, while you may not think you fall under HIPPA, after a review of HR and accounts payable you may discover you are handling medical insurance of employees, to include sensitive PHI. This would require you to train staff on what PHI is and government regulations on how it must be protected.
- If your goal is to take your program to the next level and change behaviors, you need to focus on the top human risks to your organization. However both technology and threats are constantly adapting and changing, so too must your awareness program. For example while Cloud technology or BYOD may not have been a concern last year, this could be a top human risk you need to address this year.
- Finally, you need to consider engagement. If you continue to provide the exact same training year after year, people will quickly tune you out. By updating your training and not only changing what you teach but how, you will more effectively engage your staff and ultimately change behaviors.