Cyber Security Awareness Training for Employees
LUCY offers more than 200 interactive, web-based training modules (videos, tests, quizzes, games and more) on various security topics. These can be given to employees based on the results of attack simulations, or independently of them.
Employees can manage their own learning content in the LUCY LMS while your IT administrator tracks their progress in real time. An integrated authoring tool allows you to quickly create new learning content, and our team can also create custom content for you.
Interactive Training & Gamification
LUCY’s interactive tests and web-based trainings can be used to determine the users’ level of knowledge about security. In addition to using traditional training methods, LUCY uses various gamification approaches to have a lasting e-learning experience. Keep in mind that gamification is not about playing games at work! Gamification is the process of engaging people and changing behaviour using game mechanics in a non-game context. Essentially, it takes the fun factor of games and applies it to situations that aren’t much fun—like how to block the next hacker from stealing company data. By creating effective leaderboards you can also motivate your employees to achieve better results.
Gamification as an important element: Some of our learning contents are based on well-known games and inspire the user to compete among the best places.
Detecting phishing attacks does not only have to be learned in attack simulations: our interactive games are equipped with many realistic attack examples. The player has only a limited number of lives and time to recognize the attacks.
Many of the interactive learning contents are equipped with playful graphic elements. This is an alternative to purely text-based knowledge tests.
The phishing quiz can be used by itself or as part of other training courses. The selection of templates and content is very easy to customize.
Industry & Role-Based Training in 30+ Languages
LUCY comes with more than 200 editable awareness templates (posters, screensavers, flyers, games, interactive courses, videos, microlearning training modules, etc.) that cover the most common security topics in different languages. These can be easily adapted in terms of content and design. All training content is loaded directly to your LUCY server and can then be viewed by your employees. Alternatively, you can transfer the training directly from LUCY to your own system.
- PCI Security
- WLAN Security
- Social Engineering
- Clear Desk Policy
- Data Privacy
- Secure Social Networks
- Secure Browsing
- Password Security
- Physical Security
- Shoulder Surfing
- Spear Phishing etc.
Custom Module Creation & Authoring Tool
Customize existing learning content with the editors we developed specifically for LUCY. Images, texts, linked documents, content, and even the design can be modified. Do you want to create a completely new course in LUCY? No problem. With our e-Learning Authoring Toolkit you can create interactive learning content via drag and drop.
All HTML5 based courses are editable. Background, colors, content, images etc. can be easily modified. Any language can be added with one click.
Lucy has a variety of interactive tests that are easy to edit. In the screenshot you can see the editor for the internet security test.
The Phishing Quiz, in which the user can assess different emails in terms of risk, has an editor specially developed by LUCY. This editor allows the administrator to quickly make changes to the emails displayed in the quiz.
So, how can we implement a security
Assessing your needs
Evaluation is an essential first step in developing your wider security program, and it applies to security awareness training too. Assess the major risks that you want to tackle. If you’re in a regulated industry, you’ll want to include compliance requirements. Work out precisely what training is needed to meet those requirements.
Assessing your security culture
A strong security culture starts at the top which promotes the belief that security is everyone’s problem and responsibility. When the culture says that security belongs to everybody, the IT department is no longer fighting the battle solo. To launch a program, we start by assessing the needs and only then we begin creating the content.
Assessing your policies
All policies, guidelines, and standards related to the employee (user) must be analyzed. Those policies must be incorporated in the awareness training content at a later stage.
Identifying the involved target groups
The phishing simulation can be combined with services. These services help the company to better assess the risk. Here are a few examples:
- Board of Directors: The Board of Directors may be invited to sit in on an annual User Awareness Training as a means of educating the Board on information related to the importance of Information Security (as well as the type of training being provided to the end user).
- Management: The training should assist the management team in the execution of various duties (access authorization, data classification, etc.).
- Technical staff: Because the technology staff is instrumental in both securing information assets as well as enforcing policy and configuring the system to enforce policy, it is imperative that a training program be developed to make all technical personnel aware of the appropriate policies, procedures, tools, standards, and guidelines that they must follow. Annual training should be supplemented with comprehension testing as well as ongoing training. Best practices include:
- A “due diligence quiz” which documents that the user not only received the training but also understood key provisions of the policy.
- A monthly awareness reminder: Once per month, an e-mail message will be sent related to a specific current topic.
- As-needed awareness information: As new issues, vulnerabilities, or policies arise, we will send via the appropriate method additional reminders and/or vulnerability announcements.
- Ongoing awareness exercises: Throughout the year, as well as in advance of annual training, various awareness exercises, like phishing simulations, may be conducted.
- Customer Awareness Training: We may also work with marketing personnel and web developers to ensure an adequate mix of identity theft prevention education is distributed to customers in the form of flyers, web page elements, and public announcements.
Develop cross-department partnerships
The awareness program is likely to be developed together with the IT department, or perhaps Risk or Compliance, but implementation needs partners in other departments. Partners could help with a couple of key needs: delivery (in the case of live, in-person sessions) and dissemination. The Human Resources department could help create policies that make the training mandatory, as well as track participation. The communication director or another professional communicator could be recruited to deliver the training content. If the compliance department has a newsletter, partnering with them could be used to distribute security awareness content.
The content needs to be custom-tailored to each organization’s unique case, as well as the sector the organization operates in. The program needs to focus on the topics that will help users change their behaviors. Some common ones that apply to any sector include Social Engineering, Phishing, and Mobile Security. When developing training content, we make sure that we lay out some clear real-world examples and show the users what an attack looks like.
Find the right tools
Long PowerPoint presentations are a thing of the past—at least when it comes to awareness training. Having employees stuck in their seats for 45 minutes, listening to someone talk the entire time, doesn’t create an engaged audience that will retain the material. The best programs avoid this issue by using a variety of delivery methods—from video to interactive online modules, gamification, and simulated phishing attacks. It’s a good idea to deliver your training via several different methods. E-mail lists are an easy way to send out content. We also provide content on external websites or the intranet.
Scheduling and delivering training
Most companies will start with an annual training program, and training specifically for new hires is the required minimum. A successful awareness program is not a one-time activity, nor is it a once-a-year activity. It needs a regular, ongoing schedule that includes different types of activities delivered at appropriate intervals—some may be monthly, others quarterly or annually. The content should be mixed up and relevant to seasonal threats, where applicable. For example, e-cards can prove to be a tempting click right around Valentine’s Day, so make sure your staff know what suspicious signs to look for.
Testing the effectiveness of the training
When you put in place a new security system, you always want to test it to make sure it’s working properly; you should think about security awareness training in the same way. You may want to include relevant questions as part of your training content. Ending each section with a test is a good way to determine whether your staff have garnered the key information. For example, you might consider sending out a mock phishing e-mail a few weeks after your training to see who falls victim to it.
Tracking and acting accordingly
Testing the impact of your training is important, but you also want to track who completes the training you send out and how much time they spend on it; then measure the impact it has on actual security incidents. If people don’t complete the training or fail the tests, then they need to be sent for further training, and repeated fails should trigger a face-to-face meeting. If your program is truly effective, then you should see a drop in the number of security incidents. If you don’t see a correlation there, then you may need to rework your training materials and tweak your approach. When new threats emerge, you must be ready to work them in and update your training accordingly on a continuous basis. Train your staff properly and equip them with the knowledge they need; only then you will see a significant improvement in your overall cyber security.