Need some advise on implementing Security Awareness Training within my company

I am having difficulties having my employees sign/up and complete the mandatory online training (Knowbe4). What action(s) should I take for those that have not signed up and completed the courses before the deadline which is  fast approaching? Please list some corrective actions items I can use to get them to complete the courses.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sean JacksonInformation Security AnalystCommented:
Start with buy-in from upper management, then work with HR and make it clear that there are consequences for not attending.  And make sure there are consequences.  Security awareness is never something people want to take time for.  They won't do it on their own.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
punitive action will not bode any benefits or greater awareness. now is the carrot to pull them for the learning and if possible allocate a time to have all go to terminal and run the elearning through (of course their supervisor (or senior) give the "ok") - dont let it be a chance for them to "skip" important work or meeting.

- another means is at login "force" the run through or reminder splashboard and even better they can only use notebk if they complete the elearning series

- Plan early and schedule, best if they can do it within a period and save where they stop and come back to finish when time is convenient

- make awareness how long it take to complete the elearning series and the certificate of completion to be submit to their superior and eventually to send to cooridnator for compilation to update mgmt the org security healthscore card - this may get some on the move since mgmt is to be informed subsequently on results too..

- top down tend to be more viable then technical means or even multiple reminder ... make this a company policies and have regular taking such as competency profile (include in thier "CV"). I will try to avoid the "shame" scheme to flag those "missing in action" or neligents
Scott ThomsonCommented:
First the guys are correct. start with upper management and let them know how important this is. Any kind of chart or statistic that scares the living hell out of them should be a good way to get their approval. especially when you mention that not having users complete security policy training might end up bighting them as the manager/ceo/boss man

Then you need to make it very simple. a very quick harsh "punishment" for not completing the security course. Any users who have not completed the course and accepted the IT agreement will have their access disabled because they are deemed as a security risk until this training is completed.

As neo said in the matrix - "the problem is choice" if the user has a choice they will wait and wait and wait.. make them and management believe there are only 2 choices
1. the sensible choice of security training
2. Disabled account and no access etc.

This will force the management of that particular team to do your job for you and chase up their team so they are not sitting there useless when the date passes.


As to how to implement that system
- Set all AD accounts (minus service accounts) to expire on a certain date)
- For each printed certificate that you get you remove that expiry.
- This way only the people who haven't completed it have expiry dates.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

btanExec ConsultantCommented:
Sometimes we just need some mandate to get this going for Employees as well - take a sample of the responsibility of individual spelled out and sign off in agreement to fulfil ...
freebeee01Author Commented:

I like your comment, which makes perfect sense. Two more weeks left before the deadline and I still have a number of people who have not yet completed the training. I think at this point, I need to send an email to the management team to have there subordinates complete and acknowledge the security policy, and also an email targeting those that have not completed their training that there account will be locked if they do not complete it before the deadline.

That said, can someone please help me come up with an email template for:

1) Email to management team to encourage their subordinates to complete and acknowledge the security policy.
2) Email indicating there account will be locked if they do not complete training before the deadline, because they are deem a security risk.

The challenge is dealing with the executives, who thinks they are to good for this and it's a waste of time. I'm sure I will have the buy in from my VP of IT to locked out users, but I'm sure the executives will have a fit about that.
btanExec ConsultantCommented:
it will be best drafted by someone in your organisation corp comms but you can share the "meat".. it probably should cover some background on the numerous reminder (period) and the responsibility for all including from bottom to top level to comply. The tone will probably has to be more "harsh" and direct to point (no long email)

You must ensure through the broadcast and message that each staff has due diligence to make sure attendance to the training and acknowledged in compliance to the completion of the training. This is in all mean adhered in accordance with the Organisation mandate and standard....

Employees are responsible for exercising good judgment regarding the reasonableness of fulfilling the training. There is accommodation to make conveniences such that Individual in each departments can be attended to the etraining etc. In the absence of any reasonable failure in attendance and completion, each should be guided by departmental policies on declaring early to the superior and make due care to complete in approved later date. Any further uncertainty, each should consult their supervisor or manager promptly.

Any employee found to have not been able to fulfil this requirement and policy, will be subject to disciplinary action, up to and including termination of employment.
freebeee01Author Commented:

I think that is to harsh. Let's keep it short and to the point. Is there anyone who can help me generate two email templates as I specified above?
btanExec ConsultantCommented:
Sure I believe it is easier to tone down than tone up ... I am sure you can find some template from the following writeup.

The Employee Wins.
One of the most difficult things to implement in a company is change. Change comes hardest at the employee level. There is always some new program or other being foisted on them to improve their production, their motivation, and their corporate life as a whole. A successful security awareness program is neither a frontal assault upon them, nor is it a manipulative device to garner change. Instead, an effort to raise awareness of security issues around them is introduced. Awareness of behaviors that invite loss of personal privacy through social engineering, awareness of not only what is policy and how to respond to deviations or violations of it, awareness of the role each employee plays in the defense of company information.

This is a Win for Management.
This is a win for management because of a new awareness becomes a culture change instead of a short-lived dying program. This can be accomplished by maximizing the reach of the program with a consistent message. The key is the consistency of the message. Security is everyone’s job.

If we are to survive, we must survive on the Internet. To survive on the Internet, we must be aware of how to safeguard company assets. We must have a Security Awareness program and a security policy. Why not benefit everyone by leveraging one from the other.

Sec U R IT y - Tag! You're it!
Have a slogan

More tips
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.