5 things to consider when selecting a Security Awareness Training (SAT) platform

Security Awareness Training platform, what is it? If you’re not sure, read this blog post to find out what it is and why you need one. No matter what technology you have in place your weakest link is your employees and their lack of awareness. To build a great human firewall you will need a decent Security Awareness Training programme. How do you get one? Build your own? No, this is not a good idea! There is a ton of platforms out there to make your life easy. So how do you pick one? What do you need to look for in the platform?

Here are the top 5 things you need to think about so you choose the best one for your business.

1. Training content

The most important part of the Security Awareness Training platform is the content. The quality of the content, diversity of the content, the freshness of the content and frequency of content updates. The format of the training modules. Are they videos, interactive modules, puzzles, games, quizzes, wall posters, newsletters, etc...How long are the content modules? Are they engaging?

2. Admin overhead

If you are going to manage the platform yourself consider the admin overhead that’s required. Onboarding process shouldn’t be a hassle. The new user creations and leaver deletions on the portal should be automated. Ideally, the platform should sync with your directory services [Active Directory or similar] so that you can automate most of the tasks. Automation should be your priority when it comes to Admin overhead. You don’t want to end up spending days every month managing it.

Consider the user-friendliness of the platform. Is it going to take up your time training users on how to use the platform?

3. Functionality

What functionality the platform is offering? Ideally, you would want to follow up training with some sort of testing. For example, sending out email phishing campaigns. Does the platform support the feature? If you have separate learning and development the Security Awareness Training Platform should be able to offer you to create a separate role so that they can manage just the training part. Sometimes HR departments are responsible for this and also HR might want to run reports on their own. For these needs, you don’t have to necessarily make them admin of the Security Awareness Training Platform. You can create Security roles and assign relevant users/groups. It’s like Active Directory groups and file permissions.

We speak to many customers on a day-to-day basis. One of the questions we get asked often is, can they customise the platform? Customise the training? Edit the content? Upload their own content? Is the platform hosted or SaaS?

If you are running Email Phishing campaigns users should be able to report the simulated Phishing emails as well as the real phishing emails. Does the platform offer an outlook plugin for that? It just makes easier users to report. Also, find out if the platform is able to do USB drop tests, Phone phishing [vishing] and smishing.

4. Reporting

Of course, you have invested or going to invest in a Security Awareness Training Platform and your board will ask you to show the results or ROI. Yourself need to see the results too so that you can plan the next steps accordingly. You will need to run granular reports. See who is enrolled in a course, who started it, who didn’t, who passed, etc… Reports on Phishing tests. Who clicked on what links, who entered the data, opened an attachment, etc… Can you export the reports into a CSV/PDF file? Better yet, can you send them to a central dashboard? How it is to do that?

5. Cost

The obvious. What’s the cost? Cost model? Hidden costs? Management costs? Infrastructure costs?

I am assuming you are going to go with SaaS platform. My suggestion would be to have the cost per active mailbox per year. That should include the Directory synchronisation, content and any new content that will be published. You should able to re-purpose the licence of a leaver without any extra cost. If you are going to add more licences in the future you should be able to do that without much hassle. Some platforms out there let you add your content and most don’t unless you pay. You know what fits your business. If you are planning on having a managed service then find out how much it’s going to cost on top of the licence subscription. It might depend on the number of campaigns you want to run per month/year.

To sum up, in this day and age developing your own Security Awareness Training Platform doesn’t make sense. There are already well-developed purpose-built systems available on the market and it’s about picking the right one that suits your business. Hope the above 5 points help you.

If you need further advice or information check out our other blog posts or please feel free get in touch for a chat.