3 ideas for creating a new compliance program for information security
CEO at Kineo US
Annual compliance training season! Ah, the fun of it! Taking the same information security course you took last year? Reviewing the exact same policies and scenarios this time around? It’s enough to induce EGOS (Eyes Glaze Over Syndrome) in even your most compliant employees.
Creating and rolling out a new compliance program can be difficult for many organizations, not least of all because for some employees they’re seeing the same exact training year after year. Unless there are large industry or regulatory overhauls, most training simply doesn’t change much, which can take an already non-fun (we would never call it boring!) topic and make it positively EGOS (Eyes Glaze Over Syndrome) inducing. Within the Information Security realm this can be even more difficult because so much of the content in these courses is seemingly common sense and it’s very normal for employees to zone out as they feel like they’ve already got a good handle on what they need to know.
So how can a company that must provide Information Security training every year develop new compliance programs that will keep their learners’ attention and encourage retention? Below we take a look at three tips to keep your compliance training sessions fresh and productive.
Deploy micro-training tactics
Information Security is a great opportunity for trying out a micro-training or campaign-style approach.Why? Well, many of the main infosec concepts - such as not leaving your passwords posted in a conspicuous place, and remembering to log out of your computer when you’re away from your desk - simply don’t require more than a few minutes of discussion... and few reminders don’t hurt either. Use these opportunities to develop quick bursts of micro-training; a relatively-short overview video explaining why these measures are important and required, and then smaller, more bite-sized trainings or activities that are spaced out over the following weeks or months that asks learners to recall the information from the video and put it into practice by answering questions or completing a puzzle or game.
Focus on the gray areas
Another challenge of the annual compliance training slate is that you’re simply regurgitating the same policy information year after year. Eventually learners will tune out - they’ve heard it all before, and if they’ve heard it the exact same way you’ve definitely lost them. Instead, shift the focus of your new compliance program by lasering in on the 'gray' areas that aren’t so obvious. Incorporate discussions, scenario-based interactions, or interactive videos about why something may seem appropriate in one circumstance and not in another. Give your learners the opportunity to flex their brain muscles and flesh it all out for themselves, diving down into those gray zones.
Launch a sneak attack
This is one of the most interesting ways to deploy a new compliance program and see if the material is resonating with your employees - actually test it out! One of the biggest security risks that companies face is a data breach caused by a phishing attack. Everyone knows not to click a link from a suspicious email address or to give out their passwords or other secure information randomly over the internet, and yet when an email comes through that looks official - especially at work - you’d be shocked at how many times people will go right ahead and click that link. Today, companies have decided to get one step ahead by “catching” their employees making mistakes. They’ll do this by sending out an email with a suspicious link that looks official - such as a password reset link that comes from a slightly altered e-mail address - and wait to see how many people click the link. When the link is clicked it will direct the employee to a site that tells them that they’ve just fallen victim to a fake phishing attack and, in some cases, will immediately launch a short training on what to look out for next time. Organizations are also able to track who clicked the link, therefore, letting them know where they should focus their communication efforts moving forward. Sneaky, sneaky - but highly effective!
So -- three ideas you can use to help your learners become more engaged with their annual compliance training to avoid the dreaded EGOS (and, of course, reduce risk for your organization). Ready to give it a try? To learn more about implementing great compliance training, check out our guide Compliance: blended learning that works.