Cybersecurity Awareness Training - What Works?

This article is part of our ‘Commissioned By’ series. It’s in response to a request from a Digital Hands customer who wanted to know if cybersecurity awareness training works, how to deliver it effectively, and what kind of training works best. 

Here is what our senior information security professionals have to say on the topic of cybersecurity awareness training.

Why Do You Need Cyber Awareness Training?

Your employees are your front line. They need help becoming cyber aware because they are such a critical part of any organization's cyber defenses. Cyber aware employees can identify and prevent malware and ransomware attacks, social engineering attempts, and stop data leaks before they happen. 

Despite this, many businesses systematically under-invest in cyber training. A recent study [1] found that most cybersecurity professionals believe that their own employees accidentally put their organization and its data at risk over the previous twelve months. Meanwhile, more than 90% of employees said that they had done nothing wrong. 

You tend to see this in organizations that do not regularly train employees to recognize cybersecurity threats. While your employees might be confident they know the rules, there can be a big gap between theory and practice. This is where cyber awareness training can make a big difference, provided it’s delivered correctly. 

With that in mind, here are Digital Hands’ top strategies for building an effective cyber awareness training program in the workplace.

Create Custom Training for Different Groups

Training must be tailored to different employee groups in an organization. Each group will have different skillsets and responsibilities, requiring varying levels of access to corporate resources and data. Take the following key groups into account:

Non-Technical Knowledge Workers 

Training for this group should be a top priority, as many businesses have more non-technical knowledge workers than any other group. Their training needs to be regular, short, and relevant to their specific jobs. It must focus on how to practice good security habits and basic knowledge about cybersecurity risks. Make sure they also understand workplace security best practices and policies.

Technical Professionals 

The technical professionals work in IT departments and on cybersecurity teams and will have access to more IT systems than any other employee. As such, they need specialized training focused on advanced threat minimization, situational training, and experience-based training on recognizing the latest cyber threats. 

This group is easier to train than most. They already understand technical concepts and are more than likely already cyber aware. However, continued advanced training will keep them engaged.

Board / Exec Team 

This group is considered a high-value target by organized cyber-criminal groups. Therefore, they need tailored training covering not just best practices, but also experience-based training focusing on the consequences of major security breaches. Focus on the damage to stakeholders and credibility so they take it seriously.

Contract Workers 

Part-time, contract, and seasonal workers are especially important because they are the group least likely to be invested in your company. Although they will probably have limited access to your systems, some of them will have a lot of access. 

Contract workers need to be properly onboarded and trained before they even touch a company’s systems. They need to be made clear on what your security policies are and what is expected of them in their day-to-day role from a security perspective.

Train Regularly & Test Participants

The most insecure organizations are those who treat cyber training as an afterthought, who provide it when you are first hired or once a year. The problem with this is that to be effective, training needs to be done regularly and delivered to employees in small, relatable, easily digestible courses. 

Think about the difference between a live, ten-minute training session delivered once a month and giving your users a thick, 40-page training manual. Which is most likely to engage them and help them retain the knowledge they need?

Your employee’s cyber training must be ongoing and immersive to engage them, taking into account their specific job roles. Effective training takes your people through the signs of an attack and shows them how to report suspicious activity to the right people in your security department. 

Employees must also be tested to gauge whether or not cyber awareness training has been effective. Through regular employee testing, you will be able to spot the employees who are obviously violating your security policies and give them personalized training to help them get to where they need to be. However, this should be an inclusive process, one that doesn’t make employees feel they are being spied on and reported to management.

Inspire employees to be better; don’t put them on the spot and make them scared of getting caught. Share examples of bad practices during the training program without calling out the names of the offenders.

Change Up Training Program & Formats

Varied training programs are not monotonous to employees. Mix up the format and more using techniques Digital Hands uses to train our team members:

Classroom Training 

Live training sessions with a good trainer are best. The real benefit of a live trainer is their ability to explain concepts further and answer employee questions in real-time. Complement these sessions with web-based training sessions and use role-playing simulations to keep them engaged. 

If employees work remotely from various locations, replace in-person sessions with webinars. It's also a good idea to sit every new hire through a live training session before they get system access. Only admit new hires into a company and IT infrastructure once they have been properly trained on security practices; new hires are always a security risk. 

Dedicated Training Website 

Consider building a dedicated training website for employees managed by your security team. This way, they have easy access to a reliable resource for any questions they have. 

This resource needs to cover all of the basic security topics (malware and phishing) as well as the more complex topics like ransomware, social engineering, and secure file sharing. It should clearly spell out what they should do if they suspect a threat. It is a good idea to have self-paced tutorials and quizzes they can take to test their knowledge and awareness. 

What Not To Do

Avoid giving employees training materials that are long-form and technical in nature. Also, if you send it by email, they are less likely to read and absorb it. Any long-winded and detailed texts on security policies or lengthy explanations on identifying phishing attacks will not be read or used in practice. 

Instead, focus on examples that employees will be able to understand. It is also important to make it enjoyable for them to read. If you must send out training by email, make sure it's spread out over several emails, and be sure to send out a quiz after the training.

Final Thoughts

Building a strong internal culture of collective security cannot be done overnight. Even when you do build one, it will not guarantee that your business will never fall victim to a cyberattack. There will always be one person who fails to follow best practices and puts your sensitive business data at risk one day. 

That being said, implementing an effective cybersecurity training program is an essential first step to building a solid security foundation in your organization. It helps reduce the overall cyber risk and increases the awareness of your employee base. 

Of course, training is just one piece of the puzzle. Companies also need to implement strong security controls and leverage technology and tools that help keep infrastructure and data secure from attackers. But even with all the cybersecurity technology and tools in the world, if your employees are not cyber aware then it will not count for much. 

Ultimately, protecting your data and reputation is every employee's business.

Contact Digital Hands

Digital Hands has extensive experience training employees to become more cyber aware. It’s not just key to working with us; it’s a must for working for us. 

If you have any questions about any aspect of your information security, get in touch with the Digital Hands team by calling (855) 511-5114. We can always bring insight and experience to the table when helping our customers understand and manage the cyber risks they face.

About Digital Hands:  Recently ranked as one of the Top MSSPs in 2020, Digital Hands is a trusted global cybersecurity leader continuously taking action to protect our customers’ most valuable assets against relentless threats.

Digital Hands is proud to offer extensive security expertise and advanced monitoring and reporting capabilities. Our robust set of innovative cybersecurity services and solutions ensures your organization, customers and employees are defended against cybersecurity attacks and data breaches round the clock.    

We are proactive in our response orchestration that includes in-depth analysis and business context. Digital Hands enables our customers to harden their security posture, outmatch bad actors and benefit from our complementary white glove service and excellence in delivery. Our industry – leading customer retention rate and Net Promoter Score of 94 reflects how we go above and beyond every day for our customers.

References:

1) https://pages.egress.com/InsiderThreat.html