All IT teams in medium to large organizations know that they should be providing regular IT security training to staff members. Small businesses should be doing it too, but might not be as aware of the need for cybersecurity training for non-IT staff.
Thing is, other jobs always seem to get in the way. Firefighting system availability, authentication, confidentiality and security issues means that training often drops down the priority list.
Even in security-conscious organizations, months, and even years, can pass without a training session being held.
The problem is pretty straightforward. According to CyberEdge Group , a US-based research firm, employees are still to blame. “For the third consecutive year, low security awareness among employees tops the list of barriers to establishing effective security defenses.”
In other words, low security awareness among employees is the greatest inhibitor to improved cyber protection.
To help you improve your cybersecruity training, we are providing you with our best tips and resources to get you on your way to improving your organization’s security posture, whatever its size and complexity.
Maximizing cyber security training ROI
We’ve provided a lot of training for businesses over the years. Here are our top tips to ensure that you are providing memorable, engaging and, most importantly, useful training that will help to lower your organization’s exposure to threats.
Operating at a lower risk level means you can significantly reduce your chances of being a victim of data theft, network infiltration, malware attacks, ransomware and other nasty cyber threats.
Make it interesting
A little creativity goes a long way. There’s little point of providing security training if the attendees do not retain the information.
Here is an example of how to really engage your employees. After work hours, have the IT team wander around the office looking for infractions, such as computers that are left unlocked, sensitive documents or devices left on desks, desk drawers not locked, etc.
Have helium balloons of two colours and place one on each of the workstations: those with, say, red balloons are putting the organization (most likely unwittingly) at risk, while those with, say, green balloons are not committing noticeable infractions.
When the staff enter the next work day, they will see the balloons but not understand the meaning behind the colors, until you call them for mandatory training session to explain the setup and start the education.
Hold this type of exercise as you would fire drills, without warning or an obvious schedule. This approach will vastly improve how staff leave their workstation when they step away.
Educate, don’t dictate
When it comes to IT security, it can be really tempting for IT staff to publish a set of rules for staff to follow. It takes less time than providing education, but you risk alienating your staff.
If the staff feel that the department is a policing force that regulate the network, they will not feel like they can approach the team with questions, concerns, let alone admit a mistake. They are much more likely to operate on instinct without informing you, meaning you are not only blind to a potential infraction, but you will not be able to put in place any remedial actions.
While most staff will of course have a much lower understanding of cybersecurity than those within the IT teams, their behavior can have a drastic impact on your exposure levels. What staff need are not just rules, but a clear explanation of why these rules exist, how their support will radically improve the overall security for the business, helping it to remain unscathed by cyber attacks.
Get their attention with recent news stories of breaches from companies that are similar to yours. This approach helps to mitigate against the attitude that only big firms are targeted.
Case studies where employees have unwittingly caused a security breach, from sharing passwords away to leaving the door open for some non-authorized person to enter the building, will bring the training home and encourage them to sit up and listen.
No one likes to be talked at for a long period of time. Our ability to retain information is highly tied to how engaged we are.
Incorporating group activities, such as getting teams to create cybersecurity information posters to place around the work environment, or present the teams with cyber security scenarios where they need to come up with the next steps, will keep their minds engaged.
These approaches allow your trainees to provide their thoughts on the right course of action, which will help them to retain the information and improve day-to-day security within the organization.
You can also provide quizzes at the end of the sessions and award those with high marks with some recognition or prize. Ultimately, it is in your best interest that those who take security seriously are treated as champions or deputy security officers for the organisation.
Tools and tips are only useful if they are shared with employees in a way that reduces risky behavior within the organisation. Staff training is, without doubt, a vital component to your security strategy.
If your IT teams are too busy, we would urge you to consider bringing in third party cyber security experts, like TBG Security, to help you reduce your overall exposure to today’s cyber threats. What is vital is to get the staff really engaged with the importance of cybersecurity.
Here is a list of training materials, tips and advice that can help you cut down on the workload.
US-CERT: They provide a huge list of training topics and tips that can help you ensure that you are pitching the content at the right level. You don’t want to lose their attention by “geeking’ out.
The organization also provides a list of PDF materials you can print out for your staff.
SANS: The cooperative research and education organization has set up a Securing the Human webpage with loads of resources, including daily security tips. Here you will find various resources to help you plan and maintain an awareness program that is not only compliant, but engages your employees and focuses on reducing risk by changing their behaviors.
Microsoft: This security kit offers some tools that you can use to help your employees learn the skills they need to work more safely on the Internet and better defend company, customer, and their own personal information. The Microsoft IT security kit includes instructions, PowerPoint instructions, top tips and videos, as well as a quiz.
Sophos: Global IT security vendor provides a comprehensive security awareness training toolkit. Tools and materials are available in a variety of formats for viewing and consuming.