Cybersecurity training for employees: The why and how

Cybersecurity training continues to miss the mark. How do you succeed where so many others have failed? Keep it fresh, keep it current and make it real. Here's how.

Cybersecurity training programs play a crucial role in keeping employees informed about the changing threat landscape and about their personal role in protecting the organization and its stakeholders. Unfortunately, these programs often suffer from a lack of attention, resulting in dull and potentially outdated content that doesn't effectively engage employees and, therefore, fails to achieve its cybersecurity objectives.

We've all been there: subjected to some sort of mandatory corporate training program that is outside our field of expertise and a distraction from the work we desperately need to finish. When the third nagging email lands in our inbox, threatening to notify our boss if we don't complete the training program by the end of the day, we follow basic instinct. We open the 45-minute video in a new tab, press play and immediately turn our attention back to our work. If the sound stops in the background, we go back to the hidden tab and answer some simplistic quiz question with an obvious answer to get the video to continue.

That's the frame of mind cybersecurity professionals need when developing the security training programs they will share with their own workforce. If training isn't compelling enough to break through that clutter, it won't truly reach its target audience, and that will be a catastrophic failure for the program and a significant threat to enterprise security.

Why is cybersecurity employee training important?

When employees don't understand cybersecurity threats and their own role in protecting systems and data, they may inadvertently or intentionally take actions that undermine security controls. This may result in attackers compromising their accounts, installing malware on systems, or successfully achieving another type of security breach.

In a September 2020 survey, the National Cyber Security Alliance (NCSA) found that only 73% of individuals felt confident in their ability to identify a malicious email or link and that, of the 35% of respondents working from home due to the pandemic, less than half felt fully prepared (45%) to securely access data and systems remotely. These statistics underscore the importance of effective cybersecurity training programs, especially in light of the fact that it only takes a single uninformed employee to inadvertently trigger a serious security compromise.

How to create an effective cybersecurity training program

No organization sets out to create an ineffective cybersecurity training program. We all want to engage employees and better prepare them to work securely in today's threat environment. However, many programs simply fail to meet their objectives. Let's take a look at a few steps that you can follow to ensure that your organization's program achieves its goals:

  • Engage employees. There's no substitute for engaging content. If your cybersecurity training materials are dull, they'll be shuffled off to a background browser tab. This doesn't mean that they have to be full of corny humor or silly stories. Sure, a joke here and there can help keep things light, but it's more important to speak to the employee's point of view. Share anecdotes that directly relate cybersecurity messages to their work environment. And keep it short! A series of five- to seven-minute videos are far more likely to keep the viewer's attention than a 45-minute monologue, no matter how well it is produced.
  • Keep it fresh. You should regularly update your training materials for two significant reasons. First, nobody wants to watch reruns of cybersecurity content. Second, the business's operating environment and threat landscape are constantly changing, and training should adapt to meet those evolving needs.
  • Use a variety of formats. Different people learn in different ways. The more mechanisms you use to share your message, the more likely it will reach diverse members of your target audience. Combine online training with email newsletters, short discussions in team meetings, lunch-and-learn sessions and whatever other formats you think might resonate with your team. Experiment often, keeping the things that work.
  • Measure your effectiveness. Use creative means to evaluate the effectiveness of your training program for employees based upon its objectives. Those quiz questions with obvious answers don't meet this mark, as they're usually so easy that anyone can answer them correctly without actually absorbing the content. Make them more difficult, and you'll face the hassle of employees failing the test. Instead, try using mechanisms like phishing simulations that evaluate the actual awareness level of your team. Many vendors now provide managed services that administer phishing simulation campaigns and help you target your follow-up efforts.

4 most important cybersecurity training topics

Now that you're ready to build an effective cybersecurity training program, what topics should you cover? You'll need to develop that list based upon your own organization's needs, but it's important to keep the topics simple and focused. Here are four crucial topics that should be explored in any security awareness training effort:

  1. Phishing attacks are one of the oldest threats, but they remain effective today. The Verizon 2020 Data Breach Investigations Report found that phishing emails were the most common threat action in cybersecurity breaches and employees must be educated to recognize and handle these security threats appropriately.
  2. Social engineering attacks don't always use phishing emails, however. Be sure to also remind employees that they might find social engineers in front of them at a customer service counter, on the other end of a telephone call or even sitting in the next cubicle. Employees should understand the techniques used by social engineers and how adhering to security practices can frustrate those efforts.
  3. Password hygiene is a constant battle. Most organizations have addressed this threat with the implementation of two-factor authentication, but password security remains crucial because not all systems support multifactor. Employees reusing passwords on multiple websites may expose corporate credentials during security breaches. Awareness programs may educate these team members about these risks and help them adopt password managers that allow the creation of strong, unique passwords for each site they visit.
  4. Secure remote work practices became significantly more important in 2020, with large portions of the workforce suddenly working from their homes with little or no preparation. Cybersecurity awareness programs should focus on ensuring that employees understand corporate policies around storing and accessing sensitive information from outside the office.
Top cybersecurity training topics

Parting advice

Notice anything interesting about these topics? They all fit into the category of "oldies but goodies." While you should keep your training current and fresh, that doesn't mean that you need to explore exotic topics. Most security breaches occur as the result of simple threats, and effective cybersecurity awareness efforts find new ways to engage employees in basic cybersecurity practices.

Next Steps

15 benefits of outsourcing your cybersecurity operations

How to preform a cybersecurity risk assessment

What is the future of cybersecurity?

This was last published in December 2020

Dig Deeper on Risk management