As often mentioned at Cyber Security Conferences User IT Security Awareness is a key component to your overall IT Security Program.
We’ve used a couple of different methods & companies in the past but the one we’ve found the most success with is Wombat Security Technologies (now Proofpoint).
They provide an Online Training Platform consisting of a number of IT Security Related Training Modules which we are able to distribute (or “assign”) to staff. The breadth and depth of modules goes beyond just avoiding Malware and gets into other security topics such as Data Protection and Destruction, Best Practices while Traveling, PCI-DSS and even PII/PHI & GDPR.
Rather than a single all-encompassing course, we found that small monthly modules that we dish out all year long was the most beneficial to staff to always keep “IT Security” on people’s minds (also, with this approach, as new people start with the company, they get the "security essentials" introduction but then they just fall into the monthly assignment rotation and eventually get all the modules). In addition, modules are updated as new threats emerge (like “ransomware”) so even when people get a repeat, it’s still relevant to their interests.
It was really important for modules to be short at sweet (no module takes longer than 10-15 minutes to complete) and the system will continue to remind (badger) them until they have completed the monthly assignment (note that to “complete” the course they not only have to go through the material, but they also have to achieve a “passing grade” in the interactive exercises).
The courses are “mobile responsive” and can be completed from any internet connected PC, tablet or smartphone, which allows people to do them from anywhere (this negates the complaints of that busy executive who is seldom in the office - "just do it from your phone while you are waiting in the holdroom for your next flight")
People love them and we consistently get 80%+ Participation in every monthly module among our 300 staff throughout all areas of the company (from the guys who sweep the runways to the plumbers in maintenance, to the admin staff in finance). This is because staff see the material as being not only helpful to the company, but also very relevant to protecting themselves at home.
Wombat provides you with an account rep so you can get advice on relevant topics, frequency of training, how to incent your staff, and pretty much anything cyber security related.
Our Proofpoint Package also includes access to their ThreatSIM tool so you can send out simulated phishing Emails and assess the effectiveness of your training programs (back in 2013 I did a baseline and we were 55% Susceptible to Email phishing. As of Q2 of 2019, we’re now down to 5.2% YTD, so I have tangible evidence that it’s been a huge success – besides the fact that we’ve been able to avoid widespread virus/ransomware attacks.)