16 November 2017
IT security awareness - Creating the human firewall
I think we can all agree that signing up your team for yet another training course is unlikely to be met with enthusiasm. Getting your team interested in security awareness might even seem like an impossible task. However, with ransomware attacks growing in sophistication and affecting a new business every 40 seconds, according to research from Kaspersky Labs, it has never been more important to educate your team.
You may already be thinking, but it’s so boring! Well, there is hope. Looking for an engaging training program maybe easier than you think. In this newsletter we cover the challenges of getting the format of security education right with tips on what to look out for when choosing your training provider.
Before we dive into the benefits of engaging your staff, let’s take a look at what security awareness training actually is.
Converting complacent employees into a Human Firewall
Effective security awareness training has 5 key goals:
- Educate employees to keep Acceptable Use and other pertinent IT policies fresh in mind during their day-to-day work tasks.
- Motivate staff to take security seriously.
- Teach all employees to use technology correctly without impacting workflow but still protecting an organisation against all manner of threats.
- Increase the strength of incident response protocols including how to recognise a threat, who to report it to and how to stop it before it spreads.
- Involve all levels of staff from floor staff to top level management.
When choosing your training provider, ensure their approach meets these five goals. By the time your team has finished a complete training course, they should be able to identify threats, mitigate them and/or report them if necessary.
Finding your provider
Finding security awareness training online is very easy, but how do you find engaging training that actually sticks?
Currently there are several offerings on the market, but there are ways to guarantee your team has access to the best of them.
Based on feedback from many Australian and New Zealand organisations, IT Managers, Corporate Services Managers & HR people are struggling to get the content and delivery options they feel fit their full needs.
Here are some recommendations on what you should be looking for when searching for security training for your staff.
Accessibility is key
The content needs to be suitable for different levels of users e.g. general users, managers, directors and technical staff in your IT team. Delivery may not prove effective if your staff feel bored or are unable to keep up with the technical jargon too often related to cyber awareness.
The delivery method itself will also affect this.
Video, PowerPoint and cartoons are used in many courses. Before you employ a training organisation for your staff ask for a run through of their delivery materials. If their video content is like a bad version of ‘The Office’ move on.
Work smarter not harder
Some people respond to classroom based delivery better than online – but some organisations have delivered training that puts staff through heavily-focussed thorough training sessions that can run over 2 days!
The training delivery needs to be a combination of different approaches. The learned content should be tested and verified but not in a way that feels like a return trip to high school math. When considering a training provider be sure to find out how your team is likely to be assessed.
Human error remains the greatest threat to cyber security
Human factors pose the biggest risk in the use of technology, systems and data. You can keep spending money on technical controls however their effectiveness can be easily negated by untrained users.
Successful training needs to fulfil its main purpose which is to ensure that your employees know what a security threat or breach actually looks like, how to explain it and who to report it to. If your team fully understand your IT security protocols they are more likely to implement them on a daily basis.
No two business are alike
You may have already experienced a cyber breach or have absolutely no idea what an attack would actually look like. As such, a security awareness training program can no longer take a one size fits all approach.
The company you choose must be willing to tailor their program to suit your business. It would be a reasonable expectation to ask for 2-3 online training program options plus some time in the classroom and possibly extra training depending on the job function of your staff.
Above all, the security training provider should attempt to understand your concerns, your business’ needs and how best to meet them. They should ideally only offer solutions that are customisable.
A good example of the tailored training is Phishing Simulation testing. A programme designed to test the users for their alertness in identifying phishing emails. The results of which are used to define further training and awareness exercises and to choose who should receive them.
Measuring success
Similarly, it is important to ensure the provider you choose is able to show you ways to measure the success of the training. The way this is usually measured is based on a visible downward trend in the number of incidents within your organisation or measuring how many threats are identified by staff and reported to the IT team. But this too, should be customisable to reflect how success can be best assessed for your business.
As you can see, there are many factors to consider when planning security awareness training for your organisation but there are clear steps you can take to ensure your team is engaged in the process with a program that adds measurable value to your organisation.
Security awareness is the key to ensuring your team protect your business from cybercrime.
Contact us to discuss how we can help you deliver informative and effective Security education and Awareness training programs to your team.