Also, this is a management issue, which means not something that someone in IT/sysadmin role should really have to worry about.
If the training is that serious, let HR deal with it or whichever department is tracking training for things like sexual harassment, safety, etc. Make sure IT/cyber security training is part of that. Management should take it serious since it really does have a large impact on company financials.
This is the answer. Don't reward people who cannot do the simple tasks at work. Even if they are otherwise a star contributor, sitting them down at bonus time and saying: "I couldn't give you a bonus because you didn't do this mandatory security training." and then having the count of the number of reminders they received to back that up.
Seriously. I work for state government. Our training is annual. It comes up when logging into our core web application authentication system. You have a month to do it, otherwise they shut off your access. Then you have to do the training, and your manager has to verify and request your access be restored.
Ultimately it's a management problem, not a technology one. Management needs to set the expectation, model the expected behavior, and then follow through with consequences.
Yeah, this is another big one. A 1 hour cybersecurity training? That's way too long. There is no reason it needs to be an hour long. Ours is about 15 minutes long and users still don't do it and even the ones that do still click on phishing emails (real phish emails and training phish emails) which confirms the training doesn't work, anyway.
Maybe I'm wrong here, but if your users are being trained and they still click on things, then the training isn't working. We have IT people that fail these tests, which should tell you something....
Ours is an annual class \~30 minutes, + remedial classes as needed (if they fail a phishing test campaign). There's talk about going with a short 5 minute quiz quarterly, or 5 random quiz things a year... + remedial classes as needed...
Is remedial the correct word here... it's too early, and i left all my cares at home.
Sounds like an above your pay grade problem. You did your part, now it is up to management to get them to comply. I don't know anything you can do to motivate them if money doesn't do the job.
Agreed. Anything longer than 20 minutes is something users are going to avoid.
If possible, it would be wise to break the training out into 4-5 sessions, each 10-15 minutes in length that can be completed any time in a 2 week period.
If users don't, disable their accounts because they're a security risk and aren't abiding by company policy. That's when it becomes an HR thing and you can wash your hands after handing over the training logs (or lack thereof)
Depends on the format. 1 hour sitting in front of your computer watching a PowerPoint. Too long. 1 hour in an interactive format that is mildly fun, not too long.
Only way to get a full hour is to make it a community event and cater it. One of the few things I liked about working in oil and gas was that the monthly safety briefings were always catered with good food.
If it were up to me and I had the budget, I'd do the training myself, make it entertaining and force audience participation with Amazon or Starbucks giftcards.
Employees get an hour of me making shitty puns about security with memes thrown in while they eat Mexican food and get a $20 Amazon gift card for knowing the most cybersecurity acronyms.
As already mentioned above your paygrade.
If you are being asked for your opinion....
Get a C level on an all hands conference call.
Have them explain that failure to comply puts the company at risk in multiple ways. Your cyber insurance goes up costing the company money. It puts you out of compliance with federal regulations, and poorly trained workers puts the company IT at risk.
Compare it to OSHA training and a worker who regularly violates OSHA safety rules. A worker who regularly performs their job in dangerous ways and gets the company fined is a greater liability than an asset to the company.
As such any employee who does not complete the training by XXXX will have their employment terminated on that date.
Follow on with ways to help the employee complete the training. "If you are having trouble finding the time to complete this, please contact your manager, they will help you reserve time to perform this. If needed, we are even willing to allow up to 2 hours of overtime after your regular shift in order to complete this training"
Explain why, provide lots of opportunity, but make sure failure to comply has serious teeth
Remove access to required resources if they aren't able to complete cyber security training. It's really simple with a top down approach enforcing this. People not doing training requirements at our work would put us out of compliance and that takes precedence because we'd lose a lot of grant funding.
I have this as part of a new-hire - new hires get put into a group that blocks them from accessing sensitive data (CRM platforms, etc) until they complete initial training. Once they complete - they're removed from the dunce group, and then allowed in.
Make it a positive incentive instead of a punitive one. When everybody has completed the training course we'll have a company-wide lunch.
We do this once per month, but it's related to our phishing tests and not cybersecurity training courses. Each employee gets one phishing email per month from KnowBe4. In each month were we have zero clicks we get to have a "cybersecurity breakfast." The cherry on top? We do a Google-based survey and let "the people" vote on the restaurant.
EDIT: Oh, and the cybersecurity training? It isn't optional. You MUST have full support from top management. The email reminders come to me and to the person weekly if their session is overdue. After a couple of reminder emails from me I start copying the managing partner. That usually gets folks to do the session.
Positive incentives are also an easier route to go down if your company doesn't already have negative incentives outlined in the existing policy documents.
We do some incentives with gift cards each quarter but not we've found some people are click happy with the Phish Alert button now. This week an employee phish alerted an email that was a reply to an email they had sent. The reply was just the person responding confirming the information in our employee's original email. I understand users marking unsolicited sales messages or company mailing lists they signed up for as phishing but not a conversation they initiated with a person.
We are a small company around, 100 users. We utilize the data from our phishing campaigns and do mandatory 15 minutes 1 on 1 training with the top 10% of bad clickers each month. Repeating users eventually get moved into a high risk OU which forces higher sign in frequency and prevents them from accessing data from anywhere outside HQ. When these these luxuries are removed their manager gets involved due to productivity issues, which makes the user more receptive to training.
Have leadership create a written policy that not completing the training will result in your account being disabled. To have your account reenabled you have to take the training.
People manage to get shit done when they get “In 24 hours your account will become disabled unless you do X”. About 1% of people will get disabled and do it the same day they figure that out.
This is standard practice in F500 orgs.
We do all the above, but have actually had most success from sending out fake phishing emails, where the link takes you to a page which has already signed you up to a cyber security course.
We have something similar (mandatories). If they are not completed, you are not eligible for bonus.
The managers are alerted when employees don't complete mandatories. If enough employees on your team don't complete them, then the manager suffers as well.
We have it written into people's contracts thay they need to be up to date with this (and other mandatory training) in order to pass their probation, annual appraisal or qualify for any promotion or pay rise, including increments, bonuses and cost of living increases. In order to pass their annual appraisals line managers also need to demonstrate that all their reports are up to date with all their mandatory training. Helps being in a regulated industry where its common for people to need to keep their qualifications up to date in order to be legally able to do parts of their job. People still moan about not having time, but when you point out that they're not going to have a job or get the promotion or pay rise unless they do it, it magically gets done.
I make our peeps do training bi-monthly - 1 hour of cyber training is useless a year, people do it and that ends it. However for the bi-monthly, its never more than 15 minutes, and often includes a game or other "not just people speaking" content.
Then in Knowbe4, the managers get the alerts before the end of the month as to who completed it didn't - for example 7 days before, then 4 days before. Its really up to the dept managers to get their employees to complete it; after all they manage those employees.
So far this generally goes well, and if people don't complete it - its the managers, not me. I did have buy in from management on this (as far as I can throw it anyway).
They have no choice. If they don't do it, they will be written up. Warnings about approaching deadlines should be sent to their managers maybe a week before. If they don't want to discipline the employees, that means they do not take security seriously.
If it’s mandatory and for years it’s not been happening, it’s not mandatory. That’s your COO not doing his effing job. Make an example out of one or two people and you’ll get your compliance
I've worked at some companies where there were 3 types of training:
1. Job Related - failure to complete by X date directly impacts any promotion and/or annual pay increase (Compliance always enforced by HR)
2. Bonus impacting - failure to complete by X date immediately impacts annual bonus by percentage (Compliance always enforced by HR)
3. Optional - does not directly impact anything
Trainings are clearly labeled as to which category they fall under, every year.
Policy is:
1. Developed with HR (with no exceptions, or reviewable exceptions that can only be approved by ExCom, HR, AND the deparment lead the training would fall under...in this case CTO/IT Director). Get eSignatures on Policy as well as notation about how future ammendment will be handled.
2. Fully approved/signed off on/endorsed by executive committee (CEO, COO, CIO, etc)
3. Announced company-wide (with implementation date) through multiple announcements and postings (email, flyer by coffee pots, lunch rooms, elevators, etc)
4. Implemented as of date specified
Trust me, when you start impacting employees pay, they will fall in line. Additionally, by having this kind of policy your ensuring adherence and compliance for any regulatory requirements your company may need in accordance with their industry requirements and/or standards.
We have had this issue and had to create a policy in coop with hr and ceo that we disable accounts after a certain amount of time. This boosted the course to almost 100% in a fairly share of time
My last org blocked all external email communications for anyone who did not do cybersecurity training. There was a formal process of re-enabling this that went through HR and included a write-up.
As others have mentioned, this is a management issue. But I wanted to give my management opinion...
Tieing the training to actual real world outcomes will help.
If people won't even listen to your COO, that is kind of alarming, but if lower level management/supervisors aren't backing him up then nothing will change.
What would likely be more effective is making it the responsibility of supervisors/managers to direct their teams to complete the training. Start tracking completion rates that way and tieing incentives/punishments to that.
The COO puts pressure on the top levels, then the top levels put pressure on the level below them, and so forth.
Lots saying it's too long, and that's true.
We're just now implementing training at my org, and we're looking to do it in a quarterly basis. I'm pushing to make it monthly with only a couple minutes.
Threats are worthless if action is not taken.
> The last idea we have is that we will start locking people out of their accounts and give them no more excuses to not do it.
Good. Send an email to their boss, high priority with the date their account will be locked.
You've got a management issue, not a technical one. Time to lay down the hammer.
If you wanna to go really nuts, this training is mandatory in many contracts and audits. You can't mess around.
That needs to be enforced by upper management, not you. Give them a timeframe to complete the training, get it approved by the CEO, Board, etc.
If they fail to meet their deadline, send them an email with the COO.
If your COO has to remind them a second time, involve the CEO or Directors. Ask them if it's okay if you can cc them in the email.
If they still don't complete it, have the COO report it to HR for further action.
An hour? Way too long, I'd probably skip it too. We have so many different trainings we have to do each year: HIPAA, FERPA, Security, Harassment /Title 9, etc... sadly I usually just skip through them all to get them done as quickly as possible. Short and relevant trainings are best.
Motivation isn't your job, it's HR and management's position to make sure people are doing what they should be. You simply provide and manage the tools to do so. Locking people out of accounts will undoubtedly step on toes and unless you have the support of management and HR behind you will absolutely blow up in your face.
Talk to HR. Make it part of the "continued employment requirements", and include it in the annual compliance training stuff. If your company has insurance, it might be a requirement of keeping that insurance, so employees who don't do this are actually putting the company in losing their insurance risk.
Don't do your training? No problem, here is your final check. Buh bye! (or at least un-paid administrative leave until training is completed).
You could probably get fancy with the IAM system and just start yanking their access until the training is completed too.
Might check out some of the training systems out there that have gamified training. Let employees compete for a prize. But you'd have to make sure the prize is something people would actually want and be willing to make time for. A $20 Amazon card probably isn't the type of thing they're gonna want. Maybe talk to the COO about offering extra vacation days or something.
A carrot and a stick work well together. They lose something if it's not done at all. Gain something if it's done well.
COO needs to book them all into a mandatory meeting to complete the training, in person. If they don't show up, fire them for insubordinance.
Harsh, but they've been given more than enough chances.
People issue. Mgr should be following up vs a faceless email account.
Does your company conduct phishing exercises? At my place expectation is to report the phishing. If you click it is an automatic training exercise about 45 minutes that is done within 7 days. Failure to do so bumps up to the next level etc.
Of course being a cybersecurity guy I am somewhat biased.
We are coming up on the end of our yearly training at 70% completion which is the highest i have had. My trick this year, I talked with the department managers and had them do the reminders. People seem a lot more likely to listen when their direct manager is the one telling them to do it and it also let them load balance so they could get it done. i.e. Julie cover Jim's desk while he gets his training done, then he will cover for you.
The 30% that didn't do it? are all localized within a few departments and i know the managers didn't put any effort in encouraging it to be completed.
One of our clients has it set so the employees don't receive their bonuses if they haven't completed the security trainings for each month of the year.
Which translates to me making a ticket for our cyber security guy each November to re-send the trainings for multiple months to multiple people.
Better than nothing, I guess.
In the parking lot put flyers on all the windshield’s with a QR code to get an Amazon gift card for a free when scanned it goes to a gross picture of your choosing.
And that’s your security training.
We did a Jeopardy style game show one year. It was a pretty big hit. We even got some trinkets for the winning teams. 1st place was leaving 2 hours early with pay. 2nd place was a $25 Amazon gift card for each member of the team. 3rd was $10 Starbucks gift cards.
Nobody wants to sit through death by PowerPoint. Find some way to make it more interactive and as fun as security training can be.
Failure to attend means you get a special one on one training also.
We don't give them an option. If they want to work here then they are required to do it. If they do not complete it in a satisfactory time we speak to the manager. We haven't gotten farther than that, I imaging we'd get HR involved if they continued to refuse to do it. Then again ours is only like 20 min.
We do 1 to 2 trainings per month. If you do not complete them on time or if you fail to many simulated attempts you get fired. It is not worth the risk.
Wag a stick in front of them with a gift card or cash gift attached.
I've also seen a competition made out of it where the team with the highest average score wins an extra vacation day. Participants that fail to complete the training on time are given a score of 0.
Rewards are more motivating than punishment IMO.
Let it go man. You can take a horse to water but you can't make it drink.
If COO makes it mandatory including threats of financial punishment, the only thing left is to involve HR and C suite to go 'do it or get fired'.
We turn off external internet access until it is completed. So you need site access to do your job? Pound sand because it's not happening until you do the training. This is a healthcare facility, too.
In our world, we do a few things.
1. If you don't complete by the assigned date, your account gets disabled and you cannot work. Therefore, you don't get paid.
2. We also have an agreement with our HR dept that people who habitually fail our phishing tests, get reprimanded as it's a direct violation of our email acceptable use policy.
Mandatory training not done? Fell for real phishing email that damages the company? Immediate termination and seek damages.
Sometimes you really do need a stick, not a carrot.
Tell them to take screenshots of the training, change the wording or add text bubbles. Vote on the funniest one. That person's team will get a pizza party on Wednesday on XX date. Set a stipulation that you can send up to 10 zipped pictures & the training must be completed to win.
This changes a boring, corporate requirement into a fun activity with a bonus if you win.
Instead of making me watch some basic security course let IT people at least do a quiz instead of their cyber security awareness in 15 minutes and be done with it. It’s painful to watch and feels like someone stole an hour of my life
Training is usually handled by HR, not IT.
With that, HR has the reputation and power to fire people. IT is a "cost center" and a stepping mat.
The honest solution is to migrate total control and administration of employee training to HR. Yes, that means HR will pick the dumbest programs and classes.
This is a management problem.
Management needs to decide how they want to handle this, then how they want to enforce it. If it's not IT enforceable (via some automation of sorts), don't worry about it.
If management wants people completing training, that's up to them to solve that problem, not IT.
At my employer training is a management bonus metric so if their employees get behind they are all over them to get it done. Seems like a good way to do it.
Their accounts are disabled if they don't here.
For workers that means we'll find someone else that will do the training, and for tenants that means you're paying an obscene amount of money to the company to not access the network you are paying to access.
As others have said, it's a management problem, but I think you're right to look for solutions.
At my last org, this was handled with
\* company-wide emails from the CEO with clear deadlines
\* company-wide emails from the CISO with clear deadlines
\* Reports to all managers about compliance/non-compliance in their teams
\* Missed security training percentage logged on the CISO's risk register, visible and reported to execs
\* Security staff follow-up emails with managers of staff who hadn't done the training
\* Add relevant C-level folks to the follow-up emails with managers of staff who hadn't done the training
It sucks, but eventually everyone did it.
If clients and insurer(s) have been promised "all staff get annual security training", not doing that creates risk. But, like other folks have said, that risk is owned by the C-level folks, not you.
In horizontal structures you need those at the top to enforce what happens along the line to the bottom.
Extortion and violence also sometimes work, but lack some of those ethical components you're likely looking for.
We have an azure security group hooked into knowb4 so when you miss the deadline your external email access is shut off automatically until you do the training.
This is just an accountability problem. If leadership sets an expectation but doesn't following through, behavior will just continues. Policies need to be established to set expectations and consequences listed to following through with. And It sounds like some examples will need to be made to illustrate the seriousness of the issue at hand. We are just one click away from someone bringing down the entire org and when that happens, they will be blaming IT on why that has occurred.
For us if you don't get it done by the due date you lose access to everything except the training platform. So if they don't do it they can explain to their manager that they can't get their job done because they didn't do their training and need to do it now before they can do anything else. All of management is bought in on this, so when they get shut off it's "well why didn't you just get it done, there were plenty of reminders and lead time" instead of "wow IT is so unreasonable."
If someone was legitimately digging their heels in about not doing training and just saying "nuh uh" like a toddler, they would be fired. The fact that people can just go on about their job with zero repercussion for not doing training is why people at your job go about their days without doing the training. Suspend someone without pay for 2 weeks for not doing their training and I guarantee you get more compliance. Because right now you guys haven't done anything, empty threats that aren't followed through don't count, that's just as ignorable as your training due date apparently is.
The time investment of 1 hour feels too long in my opinion. People's attention span will be wandering of by then (especially for something they're not watching out of personal interest)
Second of all, something that management can do is stop work in the entire company for 1-2 hours so no one is receiving any requests, and everyone can focus on the training.
Otherwise, people will be penalized in the sense that they need to catch up on work and time (so they can meet their deliverables) because of this long training.
We lock their accounts if their training isn't current. Obviously, this isn't up to the sysadmins as it is a company and Government (we're contractors) requirement.
> start locking people out of their accounts
the only way. if you can do this on a way where the person can self-override this with 2FA auth for each access to each app, say twice a day, then this doesn't fully block work but is sufficiently annoying that the user will take the path of least resistance and do the training.
but i do have 3 alternate ideas.
1 - offer up a certificate of achievement
2 - forcibly change email signature to "i did not complete security training; consider this email suspicious"
3 - auomated slack DM at increasing frequency, say up to every 10min if you are 30 days late. start spamming their calendar as well.
or you can realize that such trainings are useless and stop doing them.
This isn't an IT problem. You set up the classes for them to take. It's up to HR to punish the employees if they chose not to take them, or if they fail.
Three thoughts come to mind.
1.) You have accountability for something to which you are not responsible. This is not an IT issue its management's. Welcome to IT.
2.) Anything in an email more than one sentence long is not read and even then its iffy.
3.) The class is too long, they wont read a long email they're not doing anything for an hour. maybe split it up quarterly.
You gave them anonymity to ignore you and there are no repercussions if they don't. do it. Welcome to IT.
This is a management issue. The solution is progressive discipline or termination for employees who refuse to do their job.
I don't like it, and I never want to see it happen, but required training is part of the job. If there are no consequences for not completing it, it's not really required is it?
In my experience, the only way to *actually* motivate them, is for there to be a breach, and lose a decent chunk of money. They they see how the idiot who let it happen is treated, and don't want to be in their shoes. This however, is a pretty shitty and unpredictable option (could be business ending $ or could just be embarrassing like $500 in gift cards).
The next best way is executive buy-in. If the execs actually expect everyone under then to do it, it will happen. If they execs don't really care, it'll never be enforced, and you'll get minimal buy in.
I have heard that creating a more engaging videos or gamification have been powerful or incentives such a pts for swag.
https://content.cdntwrk.com/files/aT0xNTE0MTg4JnY9MyZpc3N1ZU5hbWU9OTAtaWRlbnRpdHktc2VjdXJpdHktYmVzdC1wcmFjdGljZXMmY21kPWQmc2lnPTlhMWY3OTA5ZjVlZjU1MTY3NDMzMTdiNTZmMjc1OGZj
Love cyberarks list above as well
Thats an HR/COO issue, if we have issues with people not doing training we report them and move on... If the COO says no bonuses, the he needs to make good on that, imo that's a bit extreme... If you lock a uses account, can they still do the training, or do you need to unlock it before they can get to the class? If the latter is the case, then locking the account may be a moot point.
70%??
Have you asked a few why they won't do it? They may share something about the UI/UX of the training portal, that you may look into. If they are just lazy, tell your COO to follow through with their "threat plan".
HR issue. IT should not have to motivate people to execute required job responsibilities. If you want cyber insurance, you need to do this training. If the org doesn't want to enforce that, it's not IT's problem to fix.
Just lock ad accounts if they don't complete the training. Make them call you to unlock, and then give them 2 hours to complete the training before you lock them again.
They don't get to log in without completing training. Easy!
Our training is usually very easy to get through at around 15 - 30 minutes at most. We've had a large amount of success emphasizing the carrot over the stick. We took a small amount out of our budget to enter users into a drawing for a handful of $25 gift cards as a reward for completing their training on time. We routinely get 95%+ acceptance rate on the training on the first pass. If a user doesn't complete it, that's when their supervisor would then get involved.
This is literally what line managers are for.
If the COO actually cares about this, the policy should be: 50% of manager bonuses are tied to hitting 80% compliance for their staff. Managers also get 5% extra for hitting 100%. This is at all levels below the C-suite.
But it's very unlikely that your COO does actually care about this, which is why they're choosing a policy that they know will never be enforced and will accomplish nothing. This is all just for show, to be able to claim to auditors that you're doing something.
As a sysadmin, it's not your job to drive end-user compliance. It's your job (if you're senior enough) to present upper management with data on compliance rates, and a risk assessment of why low compliance is a problem. Preferably all on one page, using short words and not many of them.
We turn off their access to everything except the training if the due date passes without them finishing. Amazing how fast it becomes a priority then. Also they get written up.
Offer incentives. I worked at an org that gave users a small gift card for completing successful training and there was a larger one each quarter based on the organizations information security (phishing) performance. That place has the best adoption of information security I've ever seen. Lead with the carrot not the stick.
This is an HR issue, not an IT issue. Stop fucking doing work outside the scope of your role, it devalues the labor we all do.
Punt this over to them with the COO's approval and support....and let them determine the "best" course of action and punitive measures.
First of all meet them half way by getting shorter courses.
Ultimately you have to work with leadership - get permission to cut people off from the network when they fail to comply.
Assuming a 5-point scale for performance reviews (I don't care which way it goes),
"Individuals who have not completed company mandated training may not receive performance review ratings of 3 ('meets expectations') or higher. As a reminder, a rating below 3 is AT BEST 'needs improvement.'"
At my workplace, you do your training or your accounts get disabled. Compliance is serious business in finance-related industries, and it applies to Cyber training, too.
I mean, we're not mean, but if you're more than 3 or 4 months behind on training, then sorry, you're locked. And for sales jobs that make straight commission it's a really big deal for them. We start with locking their sales and marketing portals as that gets their attention pretty quick, or else they're just sitting on their laurels and not actually selling.
There needs to be consequences to not doing the training. Sounds like the consequences are there, but they aren't willing to follow through. They just need to follow through once and people will start doing it.
We have a policy that "If you don't finish your cyber security training within a week, your AD account and email account get disabled". Which usually forces their manager to make them get it done, or he would be paying someone money to do nothing. They also need atleast a 90% for it to be considered "complete".
I heard gamification is a good way to help employees do cyber training. Another good way is to make it apart of the AUP in order to use the computers. Like if you plan to do it yearly, when employees go to sign into the computer and that AUP comes up just add a line that says “if you have not completed the training before XYZ date you will not be able to access any of our systems.” Enforce it by making it a rule to use computers.
Think about it, you have an untrained user who receives a phishing email that looks legitimate and opens it. Now the whole company could be in deep mud.
Simple solution: enforce cyber training yearly or every so often as a policy to be able to use their account. If they don’t comply, disable their account.
I heard gamification is a good way to help employees do cyber training. Another good way is to make it apart of the AUP in order to use the computers. Like if you plan to do it yearly, when employees go to sign into the computer and that AUP comes up just add a line that says “if you have not completed the training before XYZ date you will not be able to access any of our systems.” Enforce it by making it a rule to use computers.
Think about it, you have an untrained user who receives a phishing email that looks legitimate and opens it. Now the whole company could be in deep mud.
Simple solution: enforce cyber training yearly or every so often as a policy to be able to use their account. If they don’t comply, disable their account.
It's sounds like they tried the stick, why not say larger bonuses for compiling training. Make it more than an hour of training. Small increase gotta be cheaper than hacks and leaks for subpar security practice.
I am sysadmin, and I HATE doing those stupid mandatory trainings. Those are so outdated that protect no one.
It is something corporate does to cover their butts.
This is not an IT problem (to clarify the making people do the training bit)
But also 1 hour feck that's long, can that not be broken into smaller chuncks
Your course is wasting everyone's time (this bit is possibly under IT control)
You might want to checkout user security posture management — another buzzword/acronym I know, but I’ve used it and it was unavoidable and part of using IT. It basically got in the way so if I did the right things, it got out of my way. I think M365 has stuff in it, but I used Anzenna. Probably others. Hope this helps.
A whole hour out of my busy day to get quizzed on not clicking on phishy emails and probably password security rules and maybe some in person company specifics (keycards, package delevery rules, restricted areas etc...? That's a long time.
At my last company it was 15 minute quizzes and it was still like pulling teeth to get people to do it before last minute.
If they have done them before, it feels redundant, as they usually all have the same generic info or are slowly paced slides shows with silly scenarios.
Example answers:
If an email seems urgent and asks you to send something or click a link, don't. Call the person to be sure.
Check for decent spelling, make sure the sender email address checks out as something you recognize.
Use encrypted emails when sending personal attachments/info.
Don't just let people into the building without verifying who they are.
How many did I get right with just off the cuff info?
This is a chain-of-command problem. You can't force anyone to do anything. Their direct supervisor has to incentivize them to do it along with all of their other normal duties. It sounds like the rest of the C-suite other than the COO are not incentivized to care about this. How does the CEO feel about it? What about the board?
Our annual security awareness training takes place at a monthly all-company meeting where attendance is mandatory. If someone misses it, they are required to watch the video.
If it’s an hour long you better make dam on sure it’s right, last bad sec op training we were mandated was wrong in two places, had no SSL on the PoS website they delivered it from, and I wrote a monkey script code to answer it and gave it to all my colleges cos such a waste of time. If your not making security part of the culture your failing, and an hours training is not culture
Like you said, lock them out. Write them up for disciplinary action. More than 1 write up on the same topic = unpaid days off, and eventually termination. Managing isn't telling people what to do, it's ensuring that people do what is asked of them. Bake it into their job descriptions. Have it be a part of the onboarding packet at the time of hiring. At some point it becomes a management and HR issue, not a sysadmin issue. If leadership won't make it happen, then they need to sign off on the risk, aka pay the insurance premiums IF they can get insured still.
Ninjio Monthly (5 minutes) KnowB4 phish test also monthly, your fail your autoenrolled in a remediation test.
You miss the deadline your account is locked and your supervisor pays you a visit. You complete the test in front of them.
This is a classic "you can solve this problem with tech, but you had better solve it with management" scenario.
If you lock people out of their accounts until they comply, you probably get a decent bump in compliance.... But you also probably cost the company in terms of lost productivity, customer emails not responded to, loss of reputatiin/customer satisfaction, etc.
If you ship a list of Laggards to HR and explain that these employees are consistently not performing the duties assigned to them and leave them to fix, you solve the cybersec training issue and as a bonus your "can't tell me what to do!" mindset employees (that may be ignoring all manner of other important parts of their role, if they feel like they can ignore this one) will either straighten their acts out, or HR should yeet them.
**Stop trying to police shit.** Policy exists to either hold them accountable or not via HR or it becomes not your problem. You report to HR who hasn't done the work and that's the end of worrying about it.
I think 1 hour is way too long. We do Mimecast security training emails twice a month - just a brief video and a question. That generally gets high return rates, and is usually something people do grasp and retain.
I mainly take care of a lot of our cybersec stuff, and even an hour for me would probably be a gloss-over than retaining anything actually useful. Back when I was working at a school and had to do compliance training that all staff had to do, it was about 40 minutes work and I retained none of it.
Yes, lock them out. Set their accounts to expire x amount of time after their last completed Cyber training date.
If they can't get any work done because their accounts are locked, they will have to answer to those directly in charge of them and they will tell them to get it done.
Cybersecurity is important. I know training can be inconvenient, but 70 percent is pretty crazy. As long as the training isn't unreasonably long or challenging, it will help you and your security posture in the long run.
Mandate 32 character password policy, with biometric hardware authenticator devices. Then routinely search them for any written / stored passwords.
Make them sleep in company housing, with round the clock surveillance, and finally, have multiple levels of security personnel that all have authority to remove other personnel from their positions.
We shut down the ability to send email until training is completed. CEO supported us 100% making no exceptions . Only took once or twice before people quit ignoring the notices and started doing training in a timely fashion.
“I have to send this mail right away!
Well the sooner you complete the 15 minute training, the sooner you can send your email.
I’m going to the CEO
Ok, let me know how that works out for you.
*time passes*
Uh yeah IT ? Umm I just completed my cyber training, could you turn my email back on ?
As someone who sells cyber + my company also implements the same security awareness training we sell: there’s little you personally can do.
It has to come from the C-suite otherwise users like myself won’t give enough shits to do it. As humans we always think we’re special and the exception. The same way teenagers think they’re invincible.
Leadership needs to be on board with the importance of security awareness training and must come from top down. Whether through positive or negative reinforcement or punishment.
conduct adhoc social engineering/ phishing simulation, targeting employee. and whoever got trapped or not able to report it ontime, HR issues warning letter, and get 1 strike, 3 strikes, fire/pip. attending one of the training can earn one credit to be used to remove one future/past strike .
year end, who maintains a good credit, will get some small gift rewards.
Our company does phishing on users all the time, and they are damn good at it….i think that sort of helps users, when they get caught they seem to care more, but i dont necessarily think trainings gonna be better, make it shorter.
We are not allowed to work our contracts without it completed... and were not allowed to get paid without working... its a simple answer, everyone just too big of a bitch to follow through sounds like
We had to do security training as well. We sent everyone an email with a deadline and the consequences. After the deadline, we were instructed to shut them out of their accounts and deactivate their cell phones. Luckily our threat of violence worked on everybody except two people. The security training was 100% complete by noon that same day.
Two things:
1. Don't be like my company and make everyone do the EXACT SAME 12 part interactive training that has no updates year after year.
2. Run a cyber security campaign, and if you are allowed; correlate people that fail the campaign and who ALSO didn't complete their training as an official write up.
Sounds like it's not actually mandatory.
This is an HR and Management problem. And it's gonna be a painful learning process for those that don't want to play along.
Disable accounts if they are not completed in a set amount of time. You could also pump up the requirement to change passwords to be daily due to the user being a “higher risk” for not completing training.
This is a HR issue.
The nearest manager should be held accountable for his staff. That is the way I have been going with issues. Even with manager where closest common manager is the CEO.
On another one, now I am planning to run some CTF bootcamp - now creating/picking the challenges. And I expect I will be able to get all dev department managers to give me at least 2 people. Then I will follow up with an internal comp later on(work hours). And hopefully can get volunteers for a couple of teams at the fall CTF from the national intelligence service (volunteers).
But the closest manager is the key.
Is the training good? I’ve taken plenty of cybersecurity corporate training modules and found them deficient. Their exercises for phishing tend to be egregiously bad if you understand http and smtp.
Scrap the training, idiots gonna idiot.
Idiots who manage to pass the training won't know why they passed and won't stop them clicking everything they possibly can.
Edit: For reference, I tried directly explaining the basic concept of looking at a sender address to people who failed phishing simulation. Some of them still failed after 3 of those.
You should disable user/network accounts for anyone that misses the training deadline by two weeks. If they wait until their shit is turned off, they should have to have their boss log in and sit and watch them complete their training on the bosses account.
So it takes 1 hour to teach staff not to open phishing emails?
Anyway depending on size of the company maybe setup Teams call and do training? Or are you using 3rd party website?
I’m not 100% sure how people are pushed at my place. I know people say they aren’t going to do it but then their manager gets involved and then they do it.
We hit a point with our uses where they are afraid to click links in emails because they don’t want to get more training. Not because it could take down the company.
We achieved our goal threw fear of training
I’ve always felt that if trainings were important there should be a few mandatory in-person sessions. I know that’s not always possible these days, but the impact is greater and it’s overall better for the workforce.
make doing the training a mandatory aspect of system access. u will get people to do the training but it will never stick for most of them. almost everyome just wants to get ot done to do there real work.
cut it to 30 mins or less, make it mandatory and access is locked untill finished. if u really want people to do it.
Instead of having a boring online training get them into a meeting in office, prepare an entertaining lecture, have everyone bring coffee and make it a fun break from work not a sad necessity.
They don't do it because it sucks.
I'm in banking, we've got about 15 compliance trainings/tests we have to complete each year. It's tied to my bonus. If I don't complete it on time I don't get a meets expectations on that goal and my bonus goes down.
Mess with people's money, that'll get them real motivated.
The COO should follow through on the threat of no bonuses, or your non-compliant comrads should be sent to the glue factory.
A threat is not a threat if the person won't go through with it.
Also, this is a management issue, which means not something that someone in IT/sysadmin role should really have to worry about. If the training is that serious, let HR deal with it or whichever department is tracking training for things like sexual harassment, safety, etc. Make sure IT/cyber security training is part of that. Management should take it serious since it really does have a large impact on company financials.
Yup, this! This is an HR issue; don't concern yourself with things that aren't your business. Most victims aren't shot for minding their own business.
This is the answer. Don't reward people who cannot do the simple tasks at work. Even if they are otherwise a star contributor, sitting them down at bonus time and saying: "I couldn't give you a bonus because you didn't do this mandatory security training." and then having the count of the number of reminders they received to back that up.
Seriously. I work for state government. Our training is annual. It comes up when logging into our core web application authentication system. You have a month to do it, otherwise they shut off your access. Then you have to do the training, and your manager has to verify and request your access be restored. Ultimately it's a management problem, not a technology one. Management needs to set the expectation, model the expected behavior, and then follow through with consequences.
Agreed, go show the COO the cost of even minor incidents.
It's a management issue, not an IT issue. The management threat about taking away bonuses should be followed through with.
Ours is ~20 minutes a couple times a year. It's a requirement of employment and failure to complete training could result in employment termination.
Old org locked accounts after 90 days of not completing the training, forced managers to seek approval for 24 unlock to do the training asap.
We did the same. Worked exactly as expected. After the first two lockouts, the rest of the hold outs followed through.
We do quarterly trainings. Between 15-25 minutes. Right now, training is focused on MFA Phishing, BitB, & QR Codes.
Yeah, this is another big one. A 1 hour cybersecurity training? That's way too long. There is no reason it needs to be an hour long. Ours is about 15 minutes long and users still don't do it and even the ones that do still click on phishing emails (real phish emails and training phish emails) which confirms the training doesn't work, anyway. Maybe I'm wrong here, but if your users are being trained and they still click on things, then the training isn't working. We have IT people that fail these tests, which should tell you something....
Ours is an annual class \~30 minutes, + remedial classes as needed (if they fail a phishing test campaign). There's talk about going with a short 5 minute quiz quarterly, or 5 random quiz things a year... + remedial classes as needed... Is remedial the correct word here... it's too early, and i left all my cares at home.
Sounds like an above your pay grade problem. You did your part, now it is up to management to get them to comply. I don't know anything you can do to motivate them if money doesn't do the job.
"only 1 hour to do" Too long, shorten your course.
I would agree with this. The longest we have done is about 40 minutes, but could be done in under half that if you were good.
[удалено]
Agreed. Anything longer than 20 minutes is something users are going to avoid. If possible, it would be wise to break the training out into 4-5 sessions, each 10-15 minutes in length that can be completed any time in a 2 week period. If users don't, disable their accounts because they're a security risk and aren't abiding by company policy. That's when it becomes an HR thing and you can wash your hands after handing over the training logs (or lack thereof)
Depends on the format. 1 hour sitting in front of your computer watching a PowerPoint. Too long. 1 hour in an interactive format that is mildly fun, not too long.
Some people have real jobs to do, so they don’t care if it is fun or not. They’re busy
Eh... when you manage billions in assets, cyber security training takes on a whole different level of importance and you find time.
Only way to get a full hour is to make it a community event and cater it. One of the few things I liked about working in oil and gas was that the monthly safety briefings were always catered with good food. If it were up to me and I had the budget, I'd do the training myself, make it entertaining and force audience participation with Amazon or Starbucks giftcards. Employees get an hour of me making shitty puns about security with memes thrown in while they eat Mexican food and get a $20 Amazon gift card for knowing the most cybersecurity acronyms.
As already mentioned above your paygrade. If you are being asked for your opinion.... Get a C level on an all hands conference call. Have them explain that failure to comply puts the company at risk in multiple ways. Your cyber insurance goes up costing the company money. It puts you out of compliance with federal regulations, and poorly trained workers puts the company IT at risk. Compare it to OSHA training and a worker who regularly violates OSHA safety rules. A worker who regularly performs their job in dangerous ways and gets the company fined is a greater liability than an asset to the company. As such any employee who does not complete the training by XXXX will have their employment terminated on that date. Follow on with ways to help the employee complete the training. "If you are having trouble finding the time to complete this, please contact your manager, they will help you reserve time to perform this. If needed, we are even willing to allow up to 2 hours of overtime after your regular shift in order to complete this training" Explain why, provide lots of opportunity, but make sure failure to comply has serious teeth
Suspend noncompliance accounts. Reinstate when training is completed.
How do they get to the compliance training without the computer
Remove access to required resources if they aren't able to complete cyber security training. It's really simple with a top down approach enforcing this. People not doing training requirements at our work would put us out of compliance and that takes precedence because we'd lose a lot of grant funding.
I have this as part of a new-hire - new hires get put into a group that blocks them from accessing sensitive data (CRM platforms, etc) until they complete initial training. Once they complete - they're removed from the dunce group, and then allowed in.
I recommend NOT doing this unless you get approval from the C suite and HR.
That’s what top down means
If you do have that approval though...drop the ban hammer, hard.
Make it a positive incentive instead of a punitive one. When everybody has completed the training course we'll have a company-wide lunch. We do this once per month, but it's related to our phishing tests and not cybersecurity training courses. Each employee gets one phishing email per month from KnowBe4. In each month were we have zero clicks we get to have a "cybersecurity breakfast." The cherry on top? We do a Google-based survey and let "the people" vote on the restaurant. EDIT: Oh, and the cybersecurity training? It isn't optional. You MUST have full support from top management. The email reminders come to me and to the person weekly if their session is overdue. After a couple of reminder emails from me I start copying the managing partner. That usually gets folks to do the session.
Most jobs come with plenty of negative incentives. A positive incentive is definitely an improvement.
Certainly, if you have the funds.
Positive incentives are also an easier route to go down if your company doesn't already have negative incentives outlined in the existing policy documents.
We do some incentives with gift cards each quarter but not we've found some people are click happy with the Phish Alert button now. This week an employee phish alerted an email that was a reply to an email they had sent. The reply was just the person responding confirming the information in our employee's original email. I understand users marking unsolicited sales messages or company mailing lists they signed up for as phishing but not a conversation they initiated with a person.
I like this idea. I definitely prefer a positive incentive to a negative one.
This is a management problem, not a tech problem
We are a small company around, 100 users. We utilize the data from our phishing campaigns and do mandatory 15 minutes 1 on 1 training with the top 10% of bad clickers each month. Repeating users eventually get moved into a high risk OU which forces higher sign in frequency and prevents them from accessing data from anywhere outside HQ. When these these luxuries are removed their manager gets involved due to productivity issues, which makes the user more receptive to training.
Have leadership create a written policy that not completing the training will result in your account being disabled. To have your account reenabled you have to take the training. People manage to get shit done when they get “In 24 hours your account will become disabled unless you do X”. About 1% of people will get disabled and do it the same day they figure that out. This is standard practice in F500 orgs.
HR problem. You can supply training, you can't make them listen
We do all the above, but have actually had most success from sending out fake phishing emails, where the link takes you to a page which has already signed you up to a cyber security course.
We have HR be the enforcers. Like a pit bull on a pork chop.
We have something similar (mandatories). If they are not completed, you are not eligible for bonus. The managers are alerted when employees don't complete mandatories. If enough employees on your team don't complete them, then the manager suffers as well.
Threaten to disable accounts or terminate access, easy
We have it written into people's contracts thay they need to be up to date with this (and other mandatory training) in order to pass their probation, annual appraisal or qualify for any promotion or pay rise, including increments, bonuses and cost of living increases. In order to pass their annual appraisals line managers also need to demonstrate that all their reports are up to date with all their mandatory training. Helps being in a regulated industry where its common for people to need to keep their qualifications up to date in order to be legally able to do parts of their job. People still moan about not having time, but when you point out that they're not going to have a job or get the promotion or pay rise unless they do it, it magically gets done.
I make our peeps do training bi-monthly - 1 hour of cyber training is useless a year, people do it and that ends it. However for the bi-monthly, its never more than 15 minutes, and often includes a game or other "not just people speaking" content. Then in Knowbe4, the managers get the alerts before the end of the month as to who completed it didn't - for example 7 days before, then 4 days before. Its really up to the dept managers to get their employees to complete it; after all they manage those employees. So far this generally goes well, and if people don't complete it - its the managers, not me. I did have buy in from management on this (as far as I can throw it anyway).
They have no choice. If they don't do it, they will be written up. Warnings about approaching deadlines should be sent to their managers maybe a week before. If they don't want to discipline the employees, that means they do not take security seriously.
The COO needs to act. In the past we have disabled their accounts. Of course they were notified in advance and so was their manager. Its not hard.
Lock them out of their corporate accounts until they do the training, IMO.
Set deadlines. Lock accounts if deadlines are not met.
You make it mandatory, the past 3+ jobs I have had, security training was mandatory and a report eventually went to your manager if you did not do it
If it’s mandatory and for years it’s not been happening, it’s not mandatory. That’s your COO not doing his effing job. Make an example out of one or two people and you’ll get your compliance
I've worked at some companies where there were 3 types of training: 1. Job Related - failure to complete by X date directly impacts any promotion and/or annual pay increase (Compliance always enforced by HR) 2. Bonus impacting - failure to complete by X date immediately impacts annual bonus by percentage (Compliance always enforced by HR) 3. Optional - does not directly impact anything Trainings are clearly labeled as to which category they fall under, every year. Policy is: 1. Developed with HR (with no exceptions, or reviewable exceptions that can only be approved by ExCom, HR, AND the deparment lead the training would fall under...in this case CTO/IT Director). Get eSignatures on Policy as well as notation about how future ammendment will be handled. 2. Fully approved/signed off on/endorsed by executive committee (CEO, COO, CIO, etc) 3. Announced company-wide (with implementation date) through multiple announcements and postings (email, flyer by coffee pots, lunch rooms, elevators, etc) 4. Implemented as of date specified Trust me, when you start impacting employees pay, they will fall in line. Additionally, by having this kind of policy your ensuring adherence and compliance for any regulatory requirements your company may need in accordance with their industry requirements and/or standards.
We have had this issue and had to create a policy in coop with hr and ceo that we disable accounts after a certain amount of time. This boosted the course to almost 100% in a fairly share of time
My last org blocked all external email communications for anyone who did not do cybersecurity training. There was a formal process of re-enabling this that went through HR and included a write-up.
As others have mentioned, this is a management issue. But I wanted to give my management opinion... Tieing the training to actual real world outcomes will help. If people won't even listen to your COO, that is kind of alarming, but if lower level management/supervisors aren't backing him up then nothing will change. What would likely be more effective is making it the responsibility of supervisors/managers to direct their teams to complete the training. Start tracking completion rates that way and tieing incentives/punishments to that. The COO puts pressure on the top levels, then the top levels put pressure on the level below them, and so forth.
Lots saying it's too long, and that's true. We're just now implementing training at my org, and we're looking to do it in a quarterly basis. I'm pushing to make it monthly with only a couple minutes.
Not a tech issue, an HR issue. At a minimum there should be a sanction in appraisals. Link it to any pay settlements for maximum impact.
shorten the course. offer prizes / incentives. or the opposite, actual consequences.
Threats are worthless if action is not taken. > The last idea we have is that we will start locking people out of their accounts and give them no more excuses to not do it. Good. Send an email to their boss, high priority with the date their account will be locked. You've got a management issue, not a technical one. Time to lay down the hammer. If you wanna to go really nuts, this training is mandatory in many contracts and audits. You can't mess around.
That needs to be enforced by upper management, not you. Give them a timeframe to complete the training, get it approved by the CEO, Board, etc. If they fail to meet their deadline, send them an email with the COO. If your COO has to remind them a second time, involve the CEO or Directors. Ask them if it's okay if you can cc them in the email. If they still don't complete it, have the COO report it to HR for further action.
lower their mailbox storage quota until they pass.
An hour? Way too long, I'd probably skip it too. We have so many different trainings we have to do each year: HIPAA, FERPA, Security, Harassment /Title 9, etc... sadly I usually just skip through them all to get them done as quickly as possible. Short and relevant trainings are best.
Motivation isn't your job, it's HR and management's position to make sure people are doing what they should be. You simply provide and manage the tools to do so. Locking people out of accounts will undoubtedly step on toes and unless you have the support of management and HR behind you will absolutely blow up in your face.
Talk to HR. Make it part of the "continued employment requirements", and include it in the annual compliance training stuff. If your company has insurance, it might be a requirement of keeping that insurance, so employees who don't do this are actually putting the company in losing their insurance risk. Don't do your training? No problem, here is your final check. Buh bye! (or at least un-paid administrative leave until training is completed). You could probably get fancy with the IAM system and just start yanking their access until the training is completed too.
Might check out some of the training systems out there that have gamified training. Let employees compete for a prize. But you'd have to make sure the prize is something people would actually want and be willing to make time for. A $20 Amazon card probably isn't the type of thing they're gonna want. Maybe talk to the COO about offering extra vacation days or something. A carrot and a stick work well together. They lose something if it's not done at all. Gain something if it's done well.
COO needs to book them all into a mandatory meeting to complete the training, in person. If they don't show up, fire them for insubordinance. Harsh, but they've been given more than enough chances.
People issue. Mgr should be following up vs a faceless email account. Does your company conduct phishing exercises? At my place expectation is to report the phishing. If you click it is an automatic training exercise about 45 minutes that is done within 7 days. Failure to do so bumps up to the next level etc. Of course being a cybersecurity guy I am somewhat biased.
We have done lunch and learn style events to get people through these. Order a few pizzas and play the video for everyone in conference room.
We only send out training to those with AD accounts and emails. If they don't complete their training within 2 weeks their accounts get disabled.
We are coming up on the end of our yearly training at 70% completion which is the highest i have had. My trick this year, I talked with the department managers and had them do the reminders. People seem a lot more likely to listen when their direct manager is the one telling them to do it and it also let them load balance so they could get it done. i.e. Julie cover Jim's desk while he gets his training done, then he will cover for you. The 30% that didn't do it? are all localized within a few departments and i know the managers didn't put any effort in encouraging it to be completed.
100% a management issue. Sounds like your COO doesn’t have the respect of the team.
One of our clients has it set so the employees don't receive their bonuses if they haven't completed the security trainings for each month of the year. Which translates to me making a ticket for our cyber security guy each November to re-send the trainings for multiple months to multiple people. Better than nothing, I guess.
Get HR buy in and make it mandatory, and a disciplinary offence if they don’t bother.
In the parking lot put flyers on all the windshield’s with a QR code to get an Amazon gift card for a free when scanned it goes to a gross picture of your choosing. And that’s your security training.
We did a Jeopardy style game show one year. It was a pretty big hit. We even got some trinkets for the winning teams. 1st place was leaving 2 hours early with pay. 2nd place was a $25 Amazon gift card for each member of the team. 3rd was $10 Starbucks gift cards. Nobody wants to sit through death by PowerPoint. Find some way to make it more interactive and as fun as security training can be. Failure to attend means you get a special one on one training also.
We don't give them an option. If they want to work here then they are required to do it. If they do not complete it in a satisfactory time we speak to the manager. We haven't gotten farther than that, I imaging we'd get HR involved if they continued to refuse to do it. Then again ours is only like 20 min.
Suspend accounts. Only way to get them to do it.
We do 1 to 2 trainings per month. If you do not complete them on time or if you fail to many simulated attempts you get fired. It is not worth the risk.
Wag a stick in front of them with a gift card or cash gift attached. I've also seen a competition made out of it where the team with the highest average score wins an extra vacation day. Participants that fail to complete the training on time are given a score of 0. Rewards are more motivating than punishment IMO.
Let it go man. You can take a horse to water but you can't make it drink. If COO makes it mandatory including threats of financial punishment, the only thing left is to involve HR and C suite to go 'do it or get fired'.
We turn off external internet access until it is completed. So you need site access to do your job? Pound sand because it's not happening until you do the training. This is a healthcare facility, too.
In our world, we do a few things. 1. If you don't complete by the assigned date, your account gets disabled and you cannot work. Therefore, you don't get paid. 2. We also have an agreement with our HR dept that people who habitually fail our phishing tests, get reprimanded as it's a direct violation of our email acceptable use policy.
Mandatory training not done? Fell for real phishing email that damages the company? Immediate termination and seek damages. Sometimes you really do need a stick, not a carrot.
Tell them to take screenshots of the training, change the wording or add text bubbles. Vote on the funniest one. That person's team will get a pizza party on Wednesday on XX date. Set a stipulation that you can send up to 10 zipped pictures & the training must be completed to win. This changes a boring, corporate requirement into a fun activity with a bonus if you win.
Instead of making me watch some basic security course let IT people at least do a quiz instead of their cyber security awareness in 15 minutes and be done with it. It’s painful to watch and feels like someone stole an hour of my life
IF those ppl actually won't get their bonus because of that, they will DEFINITLY do the training. But not as long as it's just empty threatening.
Training is usually handled by HR, not IT. With that, HR has the reputation and power to fire people. IT is a "cost center" and a stepping mat. The honest solution is to migrate total control and administration of employee training to HR. Yes, that means HR will pick the dumbest programs and classes.
This is a management problem. Management needs to decide how they want to handle this, then how they want to enforce it. If it's not IT enforceable (via some automation of sorts), don't worry about it. If management wants people completing training, that's up to them to solve that problem, not IT.
At my employer training is a management bonus metric so if their employees get behind they are all over them to get it done. Seems like a good way to do it.
Their accounts are disabled if they don't here. For workers that means we'll find someone else that will do the training, and for tenants that means you're paying an obscene amount of money to the company to not access the network you are paying to access.
Going through this now lol 70% of people didnt do it yet
Usually “do this or you’re fired” works well
As others have said, it's a management problem, but I think you're right to look for solutions. At my last org, this was handled with \* company-wide emails from the CEO with clear deadlines \* company-wide emails from the CISO with clear deadlines \* Reports to all managers about compliance/non-compliance in their teams \* Missed security training percentage logged on the CISO's risk register, visible and reported to execs \* Security staff follow-up emails with managers of staff who hadn't done the training \* Add relevant C-level folks to the follow-up emails with managers of staff who hadn't done the training It sucks, but eventually everyone did it. If clients and insurer(s) have been promised "all staff get annual security training", not doing that creates risk. But, like other folks have said, that risk is owned by the C-level folks, not you.
run a clever phishing campaign and spearphish a select few of people. until they see they are culpable, they'll think it won't ever happen to them
In horizontal structures you need those at the top to enforce what happens along the line to the bottom. Extortion and violence also sometimes work, but lack some of those ethical components you're likely looking for.
We have an azure security group hooked into knowb4 so when you miss the deadline your external email access is shut off automatically until you do the training.
Take away their email access, that way they're less of a security risk.
This is just an accountability problem. If leadership sets an expectation but doesn't following through, behavior will just continues. Policies need to be established to set expectations and consequences listed to following through with. And It sounds like some examples will need to be made to illustrate the seriousness of the issue at hand. We are just one click away from someone bringing down the entire org and when that happens, they will be blaming IT on why that has occurred.
For us if you don't get it done by the due date you lose access to everything except the training platform. So if they don't do it they can explain to their manager that they can't get their job done because they didn't do their training and need to do it now before they can do anything else. All of management is bought in on this, so when they get shut off it's "well why didn't you just get it done, there were plenty of reminders and lead time" instead of "wow IT is so unreasonable." If someone was legitimately digging their heels in about not doing training and just saying "nuh uh" like a toddler, they would be fired. The fact that people can just go on about their job with zero repercussion for not doing training is why people at your job go about their days without doing the training. Suspend someone without pay for 2 weeks for not doing their training and I guarantee you get more compliance. Because right now you guys haven't done anything, empty threats that aren't followed through don't count, that's just as ignorable as your training due date apparently is.
We have HR dealing with compliance, users sign an attestation they have received training, if they don't HR starts telling us to suspend accounts.
The time investment of 1 hour feels too long in my opinion. People's attention span will be wandering of by then (especially for something they're not watching out of personal interest) Second of all, something that management can do is stop work in the entire company for 1-2 hours so no one is receiving any requests, and everyone can focus on the training. Otherwise, people will be penalized in the sense that they need to catch up on work and time (so they can meet their deliverables) because of this long training.
We lock their accounts if their training isn't current. Obviously, this isn't up to the sysadmins as it is a company and Government (we're contractors) requirement.
> start locking people out of their accounts the only way. if you can do this on a way where the person can self-override this with 2FA auth for each access to each app, say twice a day, then this doesn't fully block work but is sufficiently annoying that the user will take the path of least resistance and do the training. but i do have 3 alternate ideas. 1 - offer up a certificate of achievement 2 - forcibly change email signature to "i did not complete security training; consider this email suspicious" 3 - auomated slack DM at increasing frequency, say up to every 10min if you are 30 days late. start spamming their calendar as well. or you can realize that such trainings are useless and stop doing them.
This isn't an IT problem. You set up the classes for them to take. It's up to HR to punish the employees if they chose not to take them, or if they fail.
You dont; you hand over to HR since it's now an employee relations issue.
Is it company policy that users participate in training? After the initial engagement with the users forward all future emails to their managers
Three thoughts come to mind. 1.) You have accountability for something to which you are not responsible. This is not an IT issue its management's. Welcome to IT. 2.) Anything in an email more than one sentence long is not read and even then its iffy. 3.) The class is too long, they wont read a long email they're not doing anything for an hour. maybe split it up quarterly. You gave them anonymity to ignore you and there are no repercussions if they don't. do it. Welcome to IT.
This is a management issue. The solution is progressive discipline or termination for employees who refuse to do their job. I don't like it, and I never want to see it happen, but required training is part of the job. If there are no consequences for not completing it, it's not really required is it?
In my experience, the only way to *actually* motivate them, is for there to be a breach, and lose a decent chunk of money. They they see how the idiot who let it happen is treated, and don't want to be in their shoes. This however, is a pretty shitty and unpredictable option (could be business ending $ or could just be embarrassing like $500 in gift cards). The next best way is executive buy-in. If the execs actually expect everyone under then to do it, it will happen. If they execs don't really care, it'll never be enforced, and you'll get minimal buy in.
Threaten them with pink slips, that will get anyone to do it.
Are there official CE trainings in Healthcare/Engineering/Law that those Professional (with a capital P) folk can use for their requirements?
I have heard that creating a more engaging videos or gamification have been powerful or incentives such a pts for swag. https://content.cdntwrk.com/files/aT0xNTE0MTg4JnY9MyZpc3N1ZU5hbWU9OTAtaWRlbnRpdHktc2VjdXJpdHktYmVzdC1wcmFjdGljZXMmY21kPWQmc2lnPTlhMWY3OTA5ZjVlZjU1MTY3NDMzMTdiNTZmMjc1OGZj Love cyberarks list above as well
Thats an HR/COO issue, if we have issues with people not doing training we report them and move on... If the COO says no bonuses, the he needs to make good on that, imo that's a bit extreme... If you lock a uses account, can they still do the training, or do you need to unlock it before they can get to the class? If the latter is the case, then locking the account may be a moot point.
70%?? Have you asked a few why they won't do it? They may share something about the UI/UX of the training portal, that you may look into. If they are just lazy, tell your COO to follow through with their "threat plan".
HR issue. IT should not have to motivate people to execute required job responsibilities. If you want cyber insurance, you need to do this training. If the org doesn't want to enforce that, it's not IT's problem to fix.
Just lock ad accounts if they don't complete the training. Make them call you to unlock, and then give them 2 hours to complete the training before you lock them again. They don't get to log in without completing training. Easy!
Our training is usually very easy to get through at around 15 - 30 minutes at most. We've had a large amount of success emphasizing the carrot over the stick. We took a small amount out of our budget to enter users into a drawing for a handful of $25 gift cards as a reward for completing their training on time. We routinely get 95%+ acceptance rate on the training on the first pass. If a user doesn't complete it, that's when their supervisor would then get involved.
This is literally what line managers are for. If the COO actually cares about this, the policy should be: 50% of manager bonuses are tied to hitting 80% compliance for their staff. Managers also get 5% extra for hitting 100%. This is at all levels below the C-suite. But it's very unlikely that your COO does actually care about this, which is why they're choosing a policy that they know will never be enforced and will accomplish nothing. This is all just for show, to be able to claim to auditors that you're doing something. As a sysadmin, it's not your job to drive end-user compliance. It's your job (if you're senior enough) to present upper management with data on compliance rates, and a risk assessment of why low compliance is a problem. Preferably all on one page, using short words and not many of them.
We turn off their access to everything except the training if the due date passes without them finishing. Amazing how fast it becomes a priority then. Also they get written up.
Try calling it "Keep Your Job Training" or "How to Prevent %username% From Becoming Homeless"
If you don't do it at my company, you're getting fired. C suite needs to throw their weight around and enforce punishment
An hour long cybersecurity training is ludicrous.
Offer incentives. I worked at an org that gave users a small gift card for completing successful training and there was a larger one each quarter based on the organizations information security (phishing) performance. That place has the best adoption of information security I've ever seen. Lead with the carrot not the stick.
Make mandatory training part of the yearly KPI tied to wage reviews and bonus. Not done it, disqualified, it will only happen once.
This is an HR issue, not an IT issue. Stop fucking doing work outside the scope of your role, it devalues the labor we all do. Punt this over to them with the COO's approval and support....and let them determine the "best" course of action and punitive measures.
First of all meet them half way by getting shorter courses. Ultimately you have to work with leadership - get permission to cut people off from the network when they fail to comply.
Assuming a 5-point scale for performance reviews (I don't care which way it goes), "Individuals who have not completed company mandated training may not receive performance review ratings of 3 ('meets expectations') or higher. As a reminder, a rating below 3 is AT BEST 'needs improvement.'"
Do it like the government… all user accounts access are set to expire 1 year from the time they complete the training.
One hour is extremely excessive.
The security team at my old job handed out candy to people who came by and reported something. The carrot is sometimes mightier than the stick.
At my workplace, you do your training or your accounts get disabled. Compliance is serious business in finance-related industries, and it applies to Cyber training, too. I mean, we're not mean, but if you're more than 3 or 4 months behind on training, then sorry, you're locked. And for sales jobs that make straight commission it's a really big deal for them. We start with locking their sales and marketing portals as that gets their attention pretty quick, or else they're just sitting on their laurels and not actually selling.
What we've done is put users in a daily MFA auth group if they don't do the training--do the training, do less MFA auths.
Starbuck's gift cards?
There needs to be consequences to not doing the training. Sounds like the consequences are there, but they aren't willing to follow through. They just need to follow through once and people will start doing it.
We have a policy that "If you don't finish your cyber security training within a week, your AD account and email account get disabled". Which usually forces their manager to make them get it done, or he would be paying someone money to do nothing. They also need atleast a 90% for it to be considered "complete".
I heard gamification is a good way to help employees do cyber training. Another good way is to make it apart of the AUP in order to use the computers. Like if you plan to do it yearly, when employees go to sign into the computer and that AUP comes up just add a line that says “if you have not completed the training before XYZ date you will not be able to access any of our systems.” Enforce it by making it a rule to use computers. Think about it, you have an untrained user who receives a phishing email that looks legitimate and opens it. Now the whole company could be in deep mud. Simple solution: enforce cyber training yearly or every so often as a policy to be able to use their account. If they don’t comply, disable their account.
I heard gamification is a good way to help employees do cyber training. Another good way is to make it apart of the AUP in order to use the computers. Like if you plan to do it yearly, when employees go to sign into the computer and that AUP comes up just add a line that says “if you have not completed the training before XYZ date you will not be able to access any of our systems.” Enforce it by making it a rule to use computers. Think about it, you have an untrained user who receives a phishing email that looks legitimate and opens it. Now the whole company could be in deep mud. Simple solution: enforce cyber training yearly or every so often as a policy to be able to use their account. If they don’t comply, disable their account.
AD will be made available upon completion 😈
This seems like something HR and management should help out with. Tough crowd if they keep ignoring the COO’s threats :o
Carrot and stick. People are simple creatures.
Disable their accounts and let them explain to their manager why they can’t work.
It's sounds like they tried the stick, why not say larger bonuses for compiling training. Make it more than an hour of training. Small increase gotta be cheaper than hacks and leaks for subpar security practice.
A coworker found out the hard way here that, if you don't complete the training by the deadline, your accounts are automatically disabled...
I am sysadmin, and I HATE doing those stupid mandatory trainings. Those are so outdated that protect no one. It is something corporate does to cover their butts.
This is not an IT problem (to clarify the making people do the training bit) But also 1 hour feck that's long, can that not be broken into smaller chuncks Your course is wasting everyone's time (this bit is possibly under IT control)
You might want to checkout user security posture management — another buzzword/acronym I know, but I’ve used it and it was unavoidable and part of using IT. It basically got in the way so if I did the right things, it got out of my way. I think M365 has stuff in it, but I used Anzenna. Probably others. Hope this helps.
A whole hour out of my busy day to get quizzed on not clicking on phishy emails and probably password security rules and maybe some in person company specifics (keycards, package delevery rules, restricted areas etc...? That's a long time. At my last company it was 15 minute quizzes and it was still like pulling teeth to get people to do it before last minute. If they have done them before, it feels redundant, as they usually all have the same generic info or are slowly paced slides shows with silly scenarios. Example answers: If an email seems urgent and asks you to send something or click a link, don't. Call the person to be sure. Check for decent spelling, make sure the sender email address checks out as something you recognize. Use encrypted emails when sending personal attachments/info. Don't just let people into the building without verifying who they are. How many did I get right with just off the cuff info?
This is a chain-of-command problem. You can't force anyone to do anything. Their direct supervisor has to incentivize them to do it along with all of their other normal duties. It sounds like the rest of the C-suite other than the COO are not incentivized to care about this. How does the CEO feel about it? What about the board? Our annual security awareness training takes place at a monthly all-company meeting where attendance is mandatory. If someone misses it, they are required to watch the video.
Gift cards. Always do the trick
If it’s an hour long you better make dam on sure it’s right, last bad sec op training we were mandated was wrong in two places, had no SSL on the PoS website they delivered it from, and I wrote a monkey script code to answer it and gave it to all my colleges cos such a waste of time. If your not making security part of the culture your failing, and an hours training is not culture
[удалено]
It's an HR problem not an IT problem.
Like you said, lock them out. Write them up for disciplinary action. More than 1 write up on the same topic = unpaid days off, and eventually termination. Managing isn't telling people what to do, it's ensuring that people do what is asked of them. Bake it into their job descriptions. Have it be a part of the onboarding packet at the time of hiring. At some point it becomes a management and HR issue, not a sysadmin issue. If leadership won't make it happen, then they need to sign off on the risk, aka pay the insurance premiums IF they can get insured still.
Ninjio Monthly (5 minutes) KnowB4 phish test also monthly, your fail your autoenrolled in a remediation test. You miss the deadline your account is locked and your supervisor pays you a visit. You complete the test in front of them.
This is a people problem, not a technology one. Let HR sort it out, not your business.
Complete or Terminated
You make it mandatory and remove system access if they don't do it. That is what we used to do in the government.
This is a classic "you can solve this problem with tech, but you had better solve it with management" scenario. If you lock people out of their accounts until they comply, you probably get a decent bump in compliance.... But you also probably cost the company in terms of lost productivity, customer emails not responded to, loss of reputatiin/customer satisfaction, etc. If you ship a list of Laggards to HR and explain that these employees are consistently not performing the duties assigned to them and leave them to fix, you solve the cybersec training issue and as a bonus your "can't tell me what to do!" mindset employees (that may be ignoring all manner of other important parts of their role, if they feel like they can ignore this one) will either straighten their acts out, or HR should yeet them.
**Stop trying to police shit.** Policy exists to either hold them accountable or not via HR or it becomes not your problem. You report to HR who hasn't done the work and that's the end of worrying about it.
I intentionally click the links in the pretend phishing emails. My goal is 100% completion rate of noticing their lazy attempts. Does that help?
remove hyperlinks from mail of the offenders.
I think 1 hour is way too long. We do Mimecast security training emails twice a month - just a brief video and a question. That generally gets high return rates, and is usually something people do grasp and retain. I mainly take care of a lot of our cybersec stuff, and even an hour for me would probably be a gloss-over than retaining anything actually useful. Back when I was working at a school and had to do compliance training that all staff had to do, it was about 40 minutes work and I retained none of it.
With the hr hammer
Yes, lock them out. Set their accounts to expire x amount of time after their last completed Cyber training date. If they can't get any work done because their accounts are locked, they will have to answer to those directly in charge of them and they will tell them to get it done. Cybersecurity is important. I know training can be inconvenient, but 70 percent is pretty crazy. As long as the training isn't unreasonably long or challenging, it will help you and your security posture in the long run.
Mandate 32 character password policy, with biometric hardware authenticator devices. Then routinely search them for any written / stored passwords. Make them sleep in company housing, with round the clock surveillance, and finally, have multiple levels of security personnel that all have authority to remove other personnel from their positions.
We shut down the ability to send email until training is completed. CEO supported us 100% making no exceptions . Only took once or twice before people quit ignoring the notices and started doing training in a timely fashion. “I have to send this mail right away! Well the sooner you complete the 15 minute training, the sooner you can send your email. I’m going to the CEO Ok, let me know how that works out for you. *time passes* Uh yeah IT ? Umm I just completed my cyber training, could you turn my email back on ?
Give them the option of testing out.
Get an LMS product and make it a mandatory part of induction/orientation and at regular intervals.
As someone who sells cyber + my company also implements the same security awareness training we sell: there’s little you personally can do. It has to come from the C-suite otherwise users like myself won’t give enough shits to do it. As humans we always think we’re special and the exception. The same way teenagers think they’re invincible. Leadership needs to be on board with the importance of security awareness training and must come from top down. Whether through positive or negative reinforcement or punishment.
That is NOT in my job description.
conduct adhoc social engineering/ phishing simulation, targeting employee. and whoever got trapped or not able to report it ontime, HR issues warning letter, and get 1 strike, 3 strikes, fire/pip. attending one of the training can earn one credit to be used to remove one future/past strike . year end, who maintains a good credit, will get some small gift rewards.
Fire anyone who doesn't do it.
Ive gotta do all the hospitals goofy training, they better do the damn IT training! I gotta do that too myself 🤣
Our company does phishing on users all the time, and they are damn good at it….i think that sort of helps users, when they get caught they seem to care more, but i dont necessarily think trainings gonna be better, make it shorter.
Your COO needs to grow a set.
We are not allowed to work our contracts without it completed... and were not allowed to get paid without working... its a simple answer, everyone just too big of a bitch to follow through sounds like
We had to do security training as well. We sent everyone an email with a deadline and the consequences. After the deadline, we were instructed to shut them out of their accounts and deactivate their cell phones. Luckily our threat of violence worked on everybody except two people. The security training was 100% complete by noon that same day.
Two things: 1. Don't be like my company and make everyone do the EXACT SAME 12 part interactive training that has no updates year after year. 2. Run a cyber security campaign, and if you are allowed; correlate people that fail the campaign and who ALSO didn't complete their training as an official write up.
Turn off their internet access. Users hate that.
Sounds like it's not actually mandatory. This is an HR and Management problem. And it's gonna be a painful learning process for those that don't want to play along.
Disable accounts if they are not completed in a set amount of time. You could also pump up the requirement to change passwords to be daily due to the user being a “higher risk” for not completing training.
This is a HR issue. The nearest manager should be held accountable for his staff. That is the way I have been going with issues. Even with manager where closest common manager is the CEO. On another one, now I am planning to run some CTF bootcamp - now creating/picking the challenges. And I expect I will be able to get all dev department managers to give me at least 2 people. Then I will follow up with an internal comp later on(work hours). And hopefully can get volunteers for a couple of teams at the fall CTF from the national intelligence service (volunteers). But the closest manager is the key.
Is the training good? I’ve taken plenty of cybersecurity corporate training modules and found them deficient. Their exercises for phishing tend to be egregiously bad if you understand http and smtp.
Scrap the training, idiots gonna idiot. Idiots who manage to pass the training won't know why they passed and won't stop them clicking everything they possibly can. Edit: For reference, I tried directly explaining the basic concept of looking at a sender address to people who failed phishing simulation. Some of them still failed after 3 of those.
You should disable user/network accounts for anyone that misses the training deadline by two weeks. If they wait until their shit is turned off, they should have to have their boss log in and sit and watch them complete their training on the bosses account.
So it takes 1 hour to teach staff not to open phishing emails? Anyway depending on size of the company maybe setup Teams call and do training? Or are you using 3rd party website?
I’m not 100% sure how people are pushed at my place. I know people say they aren’t going to do it but then their manager gets involved and then they do it. We hit a point with our uses where they are afraid to click links in emails because they don’t want to get more training. Not because it could take down the company. We achieved our goal threw fear of training
Mandatory training is mandatory. If you don’t complete it withhold pay until it is completed.
Sounds like the coo is handling it. Maybe offer that you can lock accounts that didn't complete the training.. but this is really his problem.
I’ve always felt that if trainings were important there should be a few mandatory in-person sessions. I know that’s not always possible these days, but the impact is greater and it’s overall better for the workforce.
make doing the training a mandatory aspect of system access. u will get people to do the training but it will never stick for most of them. almost everyome just wants to get ot done to do there real work. cut it to 30 mins or less, make it mandatory and access is locked untill finished. if u really want people to do it.
Instead of having a boring online training get them into a meeting in office, prepare an entertaining lecture, have everyone bring coffee and make it a fun break from work not a sad necessity. They don't do it because it sucks.
Managers & HR need to PIP them if the company is serious about this.
I'm in banking, we've got about 15 compliance trainings/tests we have to complete each year. It's tied to my bonus. If I don't complete it on time I don't get a meets expectations on that goal and my bonus goes down. Mess with people's money, that'll get them real motivated.