Users not completing training


(Carl) #1

We have had a phishing training campaign set up in KnowBe4 since we first started using them. We had every member of staff complete this training, and have put in place that any new staff have to complate it within their first week of working with us.
It’s not a written procedure, but due to the phishing results from before and after the training, HR are behind us on this one.

However, I’ve got one user who has been with us for around a month or two, and despite emailing their manager many times, they are yet to complete the training. After around three weeks, in the end I had to ban this user from using any computer within the company until they do their training. Someting that is still in place.
The only saving grace is they aren’t really in a role that exposes them to emails/internet very much, if at all. Perhaps this is why the manager has not pushed to get them to complete it.

I’m curious what practices other guys use with regards to training, and what you’ve had to do with users that either haven’t, or won’t, do what is required.

Cheers

Carl


(Thomas Whitmore) #2

I have monthly meetings with the Security Committee, which includes the CEO. We have a written policy that all staff have read that states that if they don’t complete the training in the allotted time their network access will be cut off and HR will be involved for disciplinary actions. The only thing they will be able to do is take the course. I haven’t had to utilize this policy but it will make things easier. I have also taken advantage of the new functionality so the individual and manager will receive reminders on an increasing frequency (last 5 days is daily) reminders. The nudging seems to be sufficient but I’m glad I have a big stick if I ever need it.


#3

Carl,
If senior management is not backing you up that is the problem. Ransomware is no joke and it only takes one click to ruin your day and then some. We have a policy that everyone that has Internet access must take the 45 minute training. We managed to get most everyone through the training and we Phish once monthly and again for the “clickers”. We have a couple folks that have not taken the training…

What is interesting here is that the owner of the company has dictated that everyone take the training has not taken it himself… he has gotten bagged several times recently in the Phishing drills.

Can you say “Do like I say not like I do…”

Since you don’t have the necessary support… perhaps Phishing the hell out of that individual with the “helpful training” landing page will help you. If the person complains to his/her supervisor they will come to you and you can explain.

Good Luck… without top down support there is not a whole lot you can do…

Jon


(Todd) #4

If HR is behind you, then cut the users access and put the ball in HR’s hands. If they are unable to complete any jobs assigned because they have no access, then again, HR should enforce some form of disciplinary action.

Since we are only beginning our Security Awareness Tranings, we have not had any issue crop up. And the Board, the ‘C’ levels and HR are on board…but knowing how we coddle folks here, if I cut access I am sure I will face some criticism that I am preventing someone from doing their job.

As was mentioned above, you need to get full top down support, if the user will not complete a simple 45 minute training, I would place less value in their contribution as an employee in the future.


(Bill Slaven) #5

Totally understand the Todd! It seems at some places the user comes first as opposed to protection of the network and data. I would much prefer to have one user unable to work as opposed to everyone if something was to go wrong.