Fillable template: Employee awareness training plan DOCX, 107 KB
Fillable templates provide instructions on the information required to be documented for certification.
Example: Employee awareness training plan DOCX, 298 KB
Examples provide sample text to help learners complete a template.
Employee awareness training plan
CyberSecure Canada has developed this template for your use in relation to certification requirements for the Provide Employee Awareness Training security control area. It provides guidance as to how information can be organized and documented for certification. CyberSecure Canada does not guarantee a successful certification from use of this template. Organizations are not obliged to use this template and may provide the certification requirement(s) in a documented format best suited for them.
Instructions are provided in blue font within each section of this template. Upon completion of the template, delete these instructions.
It is recommended that users review the eLearning module for the Provide Employee Awareness Training and the completed example of this plan. Instructions end.
Instructions: Your training plan should include the following sections:
- Employee awareness training policies
- The employee awareness training policies outline the mandatory training, role-specific training, and the frequency at which training needs to be administered.
- Employee awareness training record
- The employee awareness training record keeps track of employee training, the type of training, and when the training is scheduled or was completed.
- Employee awareness training outline
- The employee awareness training outline is a sample outline for a learning activity. It includes time for ice breakers, the specific topics that will be covered in training, and assorted other activities. This outline can be used to standardize training within an organization.
- Appendix – Employee awareness training materials
- The employee training materials will be provided during training and are meant to support learning and retention of key concepts.
Employee awareness training policy
Instructions: It is a best practice for organizations to ensure their policies are reviewed and updated regularly. Document what changes are made, when, and by whom.
The Employee Awareness Training plan has been modified as follows:
[Description of changes made]
[Name of the editor]
Purpose and scope
Instructions: Insert your scope statement or use the example provided.
The purpose of this policy is to provide training to [Organization Name] employees as it relates to its Cybersecure policies and guidelines. It encompasses scheduled training, plus mandatory and role-specific training as it relates to cyber security training.
Instructions: Determine how often training will be provided.
There is [Frequency] scheduled employee training of [Organization Name]'s policies, provisions, or other identified elements requiring training.
An employee awareness training record will be established, maintained, and updated to reflect any changes, updates, or rescheduled training.
Instructions: Insert the subjects/areas in which staff must undergo mandatory training. If appropriate, you can use the example below.
All staff at [Organization Name] must undergo the following training:
- Creating safe and secure passwords
- Using the internet and social media safely
- Using only approved software and apps on workplace devices
- How to identify malicious links and phishing emails
Role dependant training
Instructions: Identify the roles in your organization and the mandatory training and frequency of training required.
All staff at [Organization Name] acting in the following roles must undergo the stated training:
Instructions: Identify who in your organization will be responsible for enforcing and developing an enforcement statement. If appropriate, you can use the example below.
It is the responsibility of [Organization Name] to recognize when mandatory and role dependent training is necessary for employees and provide the relevant employees with the required training.
Employee awareness training record
Instructions: Document the training undertaken by employees.
Date of completion
Employee awareness training outline
Instructions: Create an outline for your training plan. If appropriate, you can use the example below and update it as necessary for your organization.
Welcome participants to the program. If they are unfamiliar with the location, explain where the washrooms and the fire exits are. Let participants know how long the training is and what they are to do at the end (for example, go to lunch, return to work, etc.). Ensure attendance is documented.
An activity to introduce participants to each other (if they are not already familiar). This is also a good time to mention an interesting or dramatic fact about the topic you are covering that day to get their attention and set the stage for how important the topic is.
Explain the learning objectives for the session, and what participants are expected to take away. Cover any policies relevant to the learning objectives.
At minimum, the training program must cover:
5:00 per topic
Review the content they will need to know in order to successfully complete the upcoming activities. Do they need to understand password security? Safe use of the internet? How to identify malicious links and emails? Wherever possible, instead of just telling them the information, build on what they already know by asking questions.
10:00 per topic
Split participants into small groups or have them work as individuals and assign an activity that reinforces the information just introduced.
Suggested activities include:
5:00 per topic
After participants have completed the activity, they should compare their results with one another.
Ask one or more questions to generate a group discussion on the topic and reinforce the content of the class.
Summarize what participants have learned, remind them of the learning objectives they have just achieved, thank them for their time, and close the training session.
*For each topic, first explain (5 min.), then run activity (10 min.), then debrief (5 min.) before moving on to the next topic.
Appendix – employee awareness training topics and outlines
Instructions: List the areas/topics in which employees are to undergo training.
Provide an outline for each topic/area. If appropriate, you can use the example below.
Use of effective password
- Ensuring all work devices and accounts are protected by effective, secure passwords is an important part of any cyber security program, and should be a key focus of your training.
Use passcodes of pins
- When possible, use a Passcode or PIN on a work device, or a personal device with work access.
Use two factor authentication
- Two Factor Authentication (2FA) is crucial when dealing with sensitive information. Organizations should always set up 2FA where possible and not skip this process. Employees should also be made aware of 2FA and its benefits.
- A good activity for employee training is to have participants develop an unguessable password.
- Creating secure passwords also includes protecting your passwords from being guessed or found out, and avoiding common mistakes in setting a password.
- Protect your passwords and PINs by not sharing them with others or writing them down in places where they could be found. Using a password manager is a best practice.
- Avoid common mistakes such as using the same password for multiple sites, or using simple, easy to guess passwords.
- Complex passwords should be a minimum of 12 characters, and contain upper and lowercase letters, numbers, and special characters.
Identification of malicious emails and links
- Fraudulent emails containing malware or malicious links can be subtle, sophisticated, and hard to detect for someone not properly trained in how to identify them.
- Phishing emails look legitimate, but are mass emails, sent to multiple recipients. They usually contain a link or attachment that is malicious that enables threat actors to gain access to security credentials, or to the computer or its network when the attachment is opened or the link is clicked.
- Spear phishing emails are designed to target groups and people with specific interests or types of employment.
- Phishing email messages often appear to be both relevant to the target and sent by a credible source, but they contain links that when clicked, enable threat actors to gain access to credentials, computers, or networks.
What makes spear phishing so effective?
- Spear phishing emails are effective because they generally contain branding and logos of legitimate organizations, and the subject line is relevant and encourages trust.
- Malicious software can also be contained in PDFs, images or other files that look legitimate.
- Making employees aware of how to identify phishing and spear phishing emails and links is an important part of any employee awareness training program.
- Being able to identify which links are legitimate and which are phishing links is crucial to your employees being able to navigate the internet safely at work.
- When on a desktop or laptop browser, hovering your mouse over the link without clicking it will show the whole URL. From there, look for the telltale signs that the link is fraudulent.
- Fraudulent links often do not match the domain name of the sender. For instance, an email claiming to be from Microsoft contains a link with a domain name from a lawyer's office.
- They can also contain misspelled domain names from common brands, such as Microsoft with a missing O, or Apple with an extra p.
- Fraudulent links also often contain extra terms such as www.support.help.apple.com.
- Phishing and Spear Phishing emails don't just contain malicious links. They also can contain attachments that when opened, can infect your network with viruses, including ransomware.
- Malware is often disguised as invoices or purchase orders and may appear to come from trusted sources.
- Never open an attachment you were not expecting. Compose a separate email – not a reply – to a known address of the sender to ask if the attachment is legitimate.
Use of approved software
- A good exercise for this lesson is to list a selection of software applications and ask participants to determine if they are authorized.
- Organizations must develop clear policies for safe internet use at work, and communicate those policies to employees prior to them participating in cyber security training. These may include prohibitions on:
- Criminal activity online
- Instigating or propagating malware or viruses
- Downloading software without permission
- Sharing credentials without authorization
- Connecting to the dark web, or other inappropriate sites
- These policies should be clearly explained in your training program, with examples and case studies or scenarios for employees to work through and apply their knowledge. This can include showing various websites and asking if they are acceptable to visit under the company policy.
Safe use of social media
- Social media is an increasingly important part of marketing any business, but it comes with its own unique set of risks.
- Ensuring employees are trained on the nature of those risks and how to avoid them can prevent costly and embarrassing cyber incidents. To ensure the safe use of social media:
- Apply all possible security steps to accounts, including securing all devices and eliminating unused accounts.
- Use good judgement based on cyber security best practices when accessing unknown websites or accounts.
- Avoid sharing unnecessary personal information on company social media feeds.
- Risks on social media can include threat actors gaining access to your profile. Using every available security feature for log-ins can help prevent this.
- Social media can contain malware hidden on seemingly harmless links. Make sure any links you click are from trusted sources, and that those sources themselves haven't been recently hacked.
- Sharing information like birthdays, children's names, pets' names, and other details can make it easy for threat actors to compromise your accounts.
- A good training exercise is to ask participants to audit their own social media accounts to see if they comply with best practices.