To have a good Remote Worker Security Awareness program, the first step is to have a good security awareness program — which is less about the technology and more about the process. At a high level, there are two phases of the awareness program. The first phase is the initial training, which should be done in person. The second phase is ongoing training that can be conducted anytime, anywhere.
Initial Training
Know your goals.
For the initial training, the first step is to determine what your goals for the program are.
- What do you want to achieve with this program?
- Who do you want to reach with it?
- How will you measure success?
These questions help set the tone for your program and point you in the right direction for designing your program.
Determine the right content.
The next step is to determine what content you want to cover in your program. You can follow a framework or build one yourself, but whatever framework or content you use, make sure you trust it — and know where it came from and why you trust it. And if you find any errors or missing content, fix them immediately.
Develop a schedule for conducting the initial training.
After identifying your goals and determining what content to use, the next step is to develop a schedule for conducting your initial training. Consider how much time each participant will need to understand the material and how much time they will need to complete exercises — through simulations or hands-on — as part of their training.
This should include time for one-on-one interaction with instructors who can answer specific questions participants may have as they go through it. Then divide up that time into individual sessions for each participant based on their role in the organization — typically IT Security professionals will spend more time on this than other employees who may only need an overview of what’s going on. (Note: this does not mean having separate training for each role.)
Create instructions in detail.
After developing a schedule for conducting your initial training, create detailed instructions. For example, for how each session will be conducted — including directions on how participants should interact with instructors and each other during exercises if necessary.
In addition, keep these instructions short enough that participants can read them before each session; still have time to ask questions before they start. These instructions should also include information about what time participants should arrive at each session.
So they know when these sessions are scheduled and don’t show up late; consider including information about parking if people will be coming from out of town.
Develop a plan for conducting the training.
After developing detailed instructions for how each session will be conducted, develop a plan for conducting the training. This should include things like:
- When and where the training is scheduled to take place;
- Who will be in charge of running the sessions; and
- How you will know if everything went ok — and what you will do if something went wrong. (Note: this is where your detailed instructions become important.)