If you were to describe your business’s cybersecurity training program, what would you say? How often do you offer training? What does the training consist of? How often do you update the training content? How do you measure the effectiveness of the training and keep security at top-of-mind awareness for your employees?
Chances are, if you were to be asked these questions, it wouldn’t take long to realize that your cybersecurity training plan is probably inadequate at best — and a waste of time and money at worst. Herding your team into a conference room once a year to review the same slide show they saw when they were hired, reminding them not to give out their passwords or click on links in emails from unknown senders is not only boring, it’s also not likely to change much in terms of employee behavior. In short, cybersecurity training that is treated like little more than an item on a checklist isn’t going to keep your company safe in the current threat landscape.
Moving away from that mindset requires some creativity and a more personal and results-oriented approach to security training. The result, though, will be a higher level of security awareness, and a reduced risk of a breach or another security incident.
Step 1: Offer Ongoing Training
Cybersecurity training shouldn’t be something that happens once a year. For it to be truly effective, education and training should be ongoing, combining regular formal sessions with ongoing reminders and refreshers. Include security information in employee newsletters and internal blogs, send out regular email reminders and updates and hang posters to keep security tips and policies in front of employees at all times. All too often, cybersecurity ends up being “out of sight, out of mind,” so keeping information in sight (and keeping it fresh) will help employees remain engaged.
Step 2: Make Training Engaging
The cybersecurity threats of today are different than those of even a year ago, never mind three, five, or even 10 years ago. That’s why it’s so surprising that so many companies use the same PowerPoint slide presentations about security year after year. And when those same presentations are used with employees who have been employed for several years? The likelihood that that will pay attention is rather slim.
While keeping presentations up-to-date with the latest information is important, keep in mind that the typical slide presentation/lecture isn’t the most effective way to impart security information. Training needs to be interesting and engaging to capture and keep attention and spur positive behaviors. Consider hiring a technology expert as a guest speaker to inform your team about current and forthcoming risks and how they can keep information safe. Make information relevant by relating it to employees’ life outside of work, reminding them that good security behaviors aren’t just a “work thing.” Incorporate hands-on games and other activities to bring the concepts to life. The more fun and interesting that you can make the training, the more effective it will be.
Step 3: Adjust Your Focus
Many cybersecurity training programs are fear-based, meaning that they focus heavily on the consequences of not complying with security and the potential damage that could result, rather than supporting positive behaviors. While your employees need to understand the “whys” of security training, the actual experience should be focused on building awareness of potential threats and how each individual plays a role in protecting the company. Don’t paralyze people with fear so that they feel as if they can’t do anything, but rather provide tools so they can do their jobs safely.
Step 4: Incorporate Measurement
One way to be sure that security awareness training doesn’t become just another chore to get done is to measure your success. Testing — both announced and unannounced — can help you evaluate how much information employees have retained. Collecting data about employee behaviors can also help you identify the strengths and weaknesses of the organization, and plan additional training to align with those areas.
Cybersecurity training should not become just another meaningless activity that employees dread. Given that employees are the single greatest risk to any company’s security, training should be a top priority and designed to provide tangible and long-lasting results. When that happens, you’ll get more out of your investment, and reduce the chances of a costly incident.