Cyber-criminals like to target the weakest link in a company's cyber security defense — and in 2017, employees are often that link. A struggle is introduced when companies know their employees are the weakest link, yet rarely do they budget for cyber security training. For the sake of your company, your customers, and your brand, this mindset must shift. Your employees can provide an important line of defense against cyber-crime after educating them on the basics of cyber security. For this training to be effective, though, it needs to be engaging, well planned, and well communicated.
Here are six tips that can help you deliver cyber security training that employees will remember:
1. Provide Cyber Security Education in Small Chunks
If you bombard employees with a lot of information at once, they probably won't retain most of it. A much more effective way to get people to retain information is to provide ongoing training in small chunks. For instance, you might cover phishing emails by presenting a certain amount of material each week. Remember to keep your meetings short, as attention and retention dimensions quickly after the first 30 minutes. Also, don’t rely on breakroom signage or Powerpoint rich meetings to get your point across. Keep it simple and to the point with a clear agenda.
2. Make the Cyber Security Training Personal
With cyberattacks being so rampant, your employees are likely concerned about protecting their personal phones, family photos, and other sensitive. A good way to get them interested in your business's security measures is to start by discussing how they can secure their personal devices and family. Once employees learn good security habits at home, they will be more likely to practice them at work.
“Creating a Cyber Secure Home”
Download the printable version here: https://securingthehuman.sans.org/media/resources/STH-Poster-CyberSecureHome-Print.pdf
3. Make the Cyber Security Training Hands-On
Think back to your college or high school days. Did you learn more when the teacher lectured in front of the class or the ones in which you actively participated in activities? Studies have shown that the act of “doing” has a greater absorption and attention rate than the act of “viewinv”. Having hands-on activities will help hold employees' attention during the training session as well as help them remember the information afterward. The activities do not have to be elaborate. They can be as simple as presenting employees with copies of emails and having them pick out the ones that are phishing scams.
4. Include Everyone in the Cyber Security Training
It is important that all your employees receive basic security training. Even managers should participate in at least the basic security program. Hackers like to target managers because they tend to have access to more sensitive and valuable information. Keep in mind that some employees might need additional instruction that takes into account specific tasks related to their position. The top targeted roles for spear phishing are:
- Human Resources and Operations
5. Regularly Test Employees' Cyber Security Knowledge
After employees have completed a training session, you might want to test what they have learned. For instance, if you recently covered how to spot phishing attacks, you might want to send out a fake phishing email with a suspicious link that, if clicked, leads to a safe web page containing the message "IT security training phishing exercise". This test can reinforce what employees have learned as well as help you determine the effectiveness of the training. Afterward, you should follow up with employees, especially those that clicked the link. You do not need to embarrass or scold employees during this discussion. Instead, you can provide additional education and resources as well as answer any questions they may have.
DID YOU KNOW:
CentraComm has partnered with KnowBe4, one of the leading cyber security training and testing companies. KnowBe4 allows companies to regularly test, measure and train its employees using video training exercises that speak specifically to their phishing test results.
6. Keep in Mind that Cyber Security Training Has Its Limitations
No matter how good your cyber security training is, there is a chance your business will fall victim to a cyberattack. Plus, there is always the risk of insider threats. For these reasons, you need to implement other security measures, such as installing next-generation endpoint security software, patched and monitored firewalls, SIEM and more. Cyber security training is another piece to the security puzzle. It’s a big piece though!