Effective employee training helps take human factor out of cyber breaches

Replace old methods with interactive, fun, real-life scenarios to prepare workers for wide range of threats

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

More than ever, chief secu­ri­ty offi­cers are being held account­able for keep­ing their busi­ness safe. Phish­ing attacks, data breach­es, ran­somware and the ever-increas­ing access by employ­ees to tech­nol­o­gy and data are dri­ving this account­abil­i­ty. But there’s only so much that tech­nol­o­gy solu­tions can do to pro­tect against threats.

What else should orga­ni­za­tions do? It turns out that most breach­es are the result of an employ­ee mis­take, so look­ing to their staff as their first line of pro­tec­tion is a crit­i­cal suc­cess fac­tor today.

Relat­ed sto­ry: Secu­ri­ty aware­ness train­ing gets a much-need­ed reboot

Secu­ri­ty aware­ness train­ing is now rec­og­nized as one of the crit­i­cal com­po­nents of a robust secu­ri­ty archi­tec­ture. But are employ­ees get­ting the secu­ri­ty aware­ness train­ing they need and deserve? Unfor­tu­nate­ly not. Too many orga­ni­za­tions still choose to pro­vide no secu­ri­ty aware­ness train­ing at all, or sim­ply pro­vide annu­al Pow­er­Point-based train­ing pro­gram, or train­ing that is dry and dif­fi­cult to understand.

Employ­ees often think they’re pre­pared or think “that’ll nev­er hap­pen to me”—until it does. Then the employ­ee often is too ashamed to go to their boss or IT depart­ment after an inci­dent occurs.

Tra­di­tion­al train­ing doesn’t work

The infor­ma­tion and best prac­tices the employ­ee received from train­ing were nev­er under­stood, didn’t seem rel­e­vant, or just didn’t come back to them.

What hap­pened? Cyber attacks aren’t chang­ing every five years—it’s more like every five months—and orga­ni­za­tions can’t afford to fall behind on secu­ri­ty training..

Employ­ees must be armed with the knowl­edge and skills to pro­tect them­selves and their orga­ni­za­tions. Tra­di­tion­al, out­dat­ed train­ing does lit­tle to pre­pare work­ers for the del­uge of cyber attacks they face, or the risks they cre­ate for them­selves. There are ways to make a change in the workplace.

Instead of train­ing employ­ees as a pas­sive observ­er, make train­ing inter­ac­tive and teach action­able, real world skills.

Rec­og­nize that hacks happen

Instead of instill­ing a mind-set that an inci­dent must nev­er hap­pen, give employ­ees the con­fi­dence to speak up, even if they make a mistake.

Instead of focus­ing sole­ly on secu­ri­ty, focus on learn­ing, too. Make train­ing brief, fun and sticky so that it is always top-of-mind when needed.

Instead of focus­ing on a sin­gle type of risk, pre­pare employ­ees for the range of secu­ri­ty threats they’ll face, whether from an exter­nal cyber attack or from their own use of tech­nol­o­gy or access to data.

Hacks can hap­pen even if the staff prac­tices secu­ri­ty pro­ce­dures. Look at the vic­tims of the Twit­ter Counter breach. No actu­al Twit­ter accounts were hacked, but a third-par­ty appli­ca­tion was, and the hack­ers left unnerv­ing tweets on orga­ni­za­tions’ accounts. Employ­ees should be pre­pared for events like this. Prac­tic­ing real-world sce­nar­ios can help pre­pare for the worst-case events. Train­ing needs to keep up with the tech­nol­o­gy employ­ees are using and the risks they face.

It’s time to stop using out­dat­ed train­ing tech­niques and for orga­ni­za­tions to invest in its employ­ees and assets by pro­vid­ing secu­ri­ty train­ing that will make a dif­fer­ence and change the behav­ior of its staff. They can’t afford not to.

More sto­ries relat­ed to employ­ee secu­ri­ty training:
When it comes to secu­ri­ty, don’t give employ­ee edu­ca­tion short shrift
More orga­ni­za­tions find secu­ri­ty aware­ness train­ing is becom­ing a vital secu­ri­ty tool
Self-train­ing pro­grams effec­tive­ly boost cybersecurity