Cyber security awareness training is nothing new. As well as teaching employees how to recognise and avoid cyber threats, the training can also include best-practice techniques and regulatory compliance requirements. But how do you know if your training is getting the job done? Many businesses have a program in place, but more often than not the results fall short, leaving you vulnerable to security breaches, data loss, and other catastrophic scenarios.
In today’s market, your brand is everything. The internet and our fast-paced lives make switching providers a snap. Everything from online shopping, to services, even online software providers are at risk of losing hundreds, possibly thousands of customers, all from just a single breach or unauthorised sharing of customer data. The risk of even just one incident is simply too big to ignore.
But how do you make sure your cyber security awareness training is a success? Far too many companies approach the program the wrong way, treating it solely as a technology problem. But to be a success, as well as training staff on the technical aspects, cyber security awareness training requires a shift in the whole culture of the company. This is coupled with often trying to get staff who are not tech-savvy used to whole new processes and procedures. That’s not easy. But there are four things you can do right now to make sure your business is on track.
Imagine you’re the coach of a professional sports team. Just as you wouldn’t show up to a game with no knowledge of your players or the opposing team’s strategies, the first step in any successful cyber security awareness training program is the assessment of what you’re working with. To plan a successful education program, you need to know what you’re up against.
How many staff will click on a link in a phishing email? How many know your password policy, or might let someone without clearance into the building? A 2018 report from a large security software userbase showed that for each random phishing email, on average, nine percent of staff clicked on the link. Do you know who will in your organisation? Which end users have access to the most sensitive information? To plan a successful training program, you need to know who has access to which data and what level of technical understanding they have. Examine everything, from the ability to recognise a phishing email to steps to stop an offline breach attempt.
The first step to designing a successful training program is recognising that not everyone will be at the same level of ability. Your IT security team is a group of highly skilled employees, but that’s not where the real risks are. Realising that the program needs to work for even the most technologically challenged staff is the first step.
From there, you need to determine what each group or person needs training on. This information should be easily at hand from the assessment step. What are the biggest cyber threats for your company? Where are your weak points and what needs to happen to shore them up? Many companies chose to have HR involved in delivering the program. This avoids end users immediately placing it in the ‘too hard’ basket as can happen with emails from IT detailing new policies or procedures.
Returning to our sports team analogy, why do great sporting teams keep on winning? It’s more than just skill and preparation. The best have a belief and trust in each other and the process. They know they’re good, and they know they’ll win. That’s what you need to accomplish with cyber security awareness training. Overlaid with education, that awareness of how to stay secure becomes part and parcel of every day. It’s just “the way we do things here.” Making it a part of the company culture is crucial.
So how do you accomplish this? The more positive a message is, the better it’s received and retained. Look for the positive in every situation, even if things aren’t going so well at first. To be successful at changing corporate culture, you need to celebrate the wins. If people are afraid to report in fear of generating a false positive or worried they’ll be in trouble for doing something wrong, then the battle has been lost before it’s even begun. Celebrate the small wins often.
Just like our sports team, measurement and analysis need to be an ongoing feature of your cyber security awareness training. Any coach will know how many games their team has won. But do they know how many hours they’re training, how much they eat, and how many hours of sleep each team member gets? How many tackles did each get in? How far did they run? Your approach to measuring and reporting on the success of an education program needs to be just as thorough.
An in-depth analysis of how each team member is performing can help you identify problems before they occur and uncover unseen threats. Who is over-reporting, is anyone not reporting at all? Maybe there’s a particular sticking point that multiple end users are getting wrong repeatedly. Your cyber security awareness program needs to follow a continuous training methodology. Keep the program at the forefront of you and your staff’s mind and constantly measure success. It can also be helpful to benchmark your business against statistics for others in your industry to see how your staff are performing before and after education sessions.
Cyber security is never static, and so your education program needs to keep pace. By assessing your playing field, designing personalised education programs to match your and your end user’s needs, reinforcing milestones and successes, and measuring and reporting outcomes, you’ll be well on your way to ensuring the success of your cyber education training.
This article was written after an interview with Andrew Warren-Nicholls from Proofpoint on Safe in Space: A Cybersecurity Podcast. Listen to the full episode.
As part of their partnership with Content Security, Proofpoint are offering a 1-on-1 demo, where they'll walk you through how you can get the following results with their Security Education Platform:
Up to 90% reduction in successful external phishing attacks and malware infections
64% average improvement in phishing vulnerability
Up to 50% reduction in business risk and impact related to end-user security
Up to 50x return on investment
Request a demo HERE to see how we can deliver results for your organisation like we have for thousands of other customers.