Cybersecurity employee training: How to build a solid plan
Cybersecurity training often misses the mark, while threats continue to grow. Succeed where others have failed by keeping training fresh, current and real. Here's how.
Cybersecurity training programs play a crucial role in keeping employees informed about the changing threat landscape, as well as their personal roles in protecting the organization and its stakeholders. Unfortunately, these programs often suffer from a lack of attention that results in dull and potentially outdated content that doesn't effectively engage employees and, therefore, fails to achieve its cybersecurity objectives.
Most employees have been there -- subjected to some sort of mandatory corporate training program outside their field of expertise and a distraction from the work they need to finish. When the third nagging email hits the inbox, threatening to notify the boss if they don't complete the training program by the end of the day, they follow basic instinct. They open the 45-minute video in a new tab, press play and immediately turn their attention back to what they were working on. If the sound stops in the background, they go back to the hidden tab and answer some simplistic quiz question with an obvious answer to get the video to continue.
That's the frame of mind cybersecurity professionals need to be aware of when developing the security training programs they share with their own workforce. If training isn't compelling enough to break through the clutter, it doesn't truly reach its target audience, and that is a catastrophic failure for the program and a significant threat to enterprise security.
Why is cybersecurity employee training important?
When employees don't understand cybersecurity threats and their own role in protecting systems and data, they may inadvertently or intentionally take actions that undermine security controls. This may result in attackers compromising their accounts, installing malware on systems or successfully achieving another type of security breach.
According to the National Cybersecurity Alliance (NCSA), as part of the information it released for its 2021 Cybersecurity Awareness Month, phishing attacks accounted for more than 80% of reported security incidents since the COVID-19 pandemic began in 2020. In its September 2020 survey, the NCSA found only 73% of individuals felt confident in their ability to identify a malicious email or link, and of the 35% of respondents working from home due to the pandemic, less than half (45%) felt fully prepared to securely access data and systems remotely.
These statistics underscore the importance of effective cybersecurity training programs, especially because it only takes a single uninformed employee to inadvertently trigger a serious security compromise.
How to create an effective cybersecurity training program
No organization sets out to create an ineffective cybersecurity training program. Organizations all want to engage employees and better prepare them to work securely in today's threat environment. Many programs simply fail to meet their objectives, however. Here are a few steps organizations can follow to ensure their programs achieve their goals:
- Engage employees. There's no substitute for engaging content. If cybersecurity training materials are dull, they'll be shuffled off to a background browser tab. This doesn't mean they have to be full of corny humor or silly stories. While a joke here and there can help keep things light, it's more important to speak to the employee's point of view. Organizations should share anecdotes that directly relate cybersecurity messages to the work environment. And keep it short. A series of five- to seven-minute videos are far more likely to keep the viewer's attention than a 45-minute monologue, no matter how well it is produced.
- Keep it fresh. Organizations should regularly update training materials for two significant reasons. First, nobody wants to watch reruns of cybersecurity content. Second, a business's operating environment and threat landscape are constantly changing, and training should adapt to meet those evolving needs.
- Use a variety of formats. Different people learn in different ways. The more mechanisms organizations use to share their message, the more likely they reach diverse members of the target audience. Combine online training with email newsletters, short discussions in team meetings, lunch-and-learn sessions and whatever other formats might resonate with teams. Experiment often, keeping the things that work.
- Measure your effectiveness. Use creative means to evaluate the effectiveness of the training program for employees based on its objectives. Those quiz questions with obvious answers don't meet the mark, as they're usually so easy anyone can answer them correctly without absorbing the content. If they're too difficult, companies face the hassle of employees failing the test. Instead, try using mechanisms like phishing simulations that evaluate the actual awareness level of the team. Many vendors now provide managed services that administer phishing simulation campaigns and help companies target follow-up efforts.
Top 4 most important cybersecurity training topics
Now that you're ready to build an effective cybersecurity training program, what topics should you cover? You need to develop that list based upon your own organization's needs, but it's important to keep the topics simple and focused.
The following four crucial topics should be explored in any security awareness training effort:
- Phishing attacks are one of the oldest threats, and they remain highly effective. Verizon's "2021 Data Breach Investigations Report" found phishing emails were not only the most common threat action in cybersecurity breaches, but that phishing attacks increased by 11% in 2021. This points to why employees must be educated to recognize and handle these security threats appropriately.
- Social engineering attacks don't always use phishing emails, however. Be sure to remind employees they might find social engineering scams in front of them at a customer service counter, on the other end of a telephone call or even sitting in the next cubicle. Employees should understand the techniques used by social engineers and how adhering to security practices can frustrate those efforts.
- Password hygiene is a constant battle. Most organizations have addressed this threat with the implementation of two-factor authentication, but password security remains crucial because not all systems support multifactor. Employees who reuse passwords on multiple websites may expose corporate credentials during security breaches. Awareness programs can educate these team members about these risks and help them adopt password managers that enable the creation of strong, unique passwords for each site they visit.
- Secure remote work practices became significantly more important beginning in 2020, when large portions of the workforce suddenly began working from their homes with little or no preparation due to the pandemic. Cybersecurity awareness programs should focus on ensuring that employees understand corporate policies around storing and accessing sensitive information from outside the office.
Parting advice
While training should be current and fresh, that doesn't mean organizations need to explore exotic topics. All of the advice above fits into the category of "oldies but goodies." Most security breaches occur as the result of simple threats, and effective cybersecurity awareness efforts find new ways to engage employees in basic cybersecurity practices.
