Charles Leaver – Pointers On Effective Security Awareness Training

Written By Charles Leaver Ziften CEO


Reliable business cybersecurity assumes that people – your staff members – do the right thing. That they do not turn over their passwords to a caller who declares to be from the IT department doing a “qualifications audit.” That they don’t wire $10 million to an Indonesian bank account after getting a midnight request from “the CEO”.

That they do not install an “immediate upgrade” to Flash Player based on a pop-up on a porn site. That they don’t overshare on social media. That they do not keep company details on file sharing services outside the firewall. That they don’t connect to unsecure WiFi networks. And they don’t click links in phishing emails.

Our research reveals that over 75% of security incidents are triggered or helped by employee mistakes.

Sure, you have actually set up endpoint security, email filters, and anti-malware services. Those preventative measures will probably be for nothing, though, if your staff members do the wrong thing time and again when in a harmful situation. Our cybersecurity efforts resemble having an expensive vehicle alarm: If you don’t teach your teen to lock the car when it’s at the shopping center, the alarm is worthless.

Security awareness isn’t enough, obviously. Workers will make mistakes, and there are some attacks that do not need an employee mistake. That’s why you require endpoint security, e-mail filters, anti-malware, etc. However let’s discuss reliable security awareness training.

Why Training Typically Doesn’t Have an Impact

Initially – in my experience, a lot of worker training, well, is poor. That’s especially true of training online, which is normally dreadful. However in most cases, whether live or canned, the training lacks trustworthiness, in part since numerous IT professionals are poor and unconvincing communicators. The training typically concentrates on communicating and implementing rules – not changing risky behavior and routines. And it resembles getting mandatory copy machine training: There’s nothing in it for the employees, so they don’t take it on board it.

It’s not about implementing guidelines. While security awareness training might be “owned” by different departments, such as IT, CISO, or HR, there’s often an absence of knowledge about exactly what a safe awareness program is. First of all, it’s not a checkbox; it has to be continuous. The training needs to be delivered in different methods and times, with a combination of live training, newsletters, small group conversations, lunch-and-learns, and yes, even online resources.

Safeguarding yourself is not complicated!

However a huge problem is the lack of objectives. If you do not know exactly what you’re aiming to do, you can’t see if you’ve done a great task in the training – and if dangerous habits really change.

Here are some sample objectives that can lead to effective security awareness training:

Supply staff members with the tools to recognize and deal with continuous daily security hazards they may receive online and via email.

Let workers understand they become part of the team, and they cannot simply count on the IT/CISO teams to manage security.

Stop the cycle of “unexpected ignorance” about safe computing practices.

Modify frame of minds toward more protected practices: “If you see something, state something”.

Review of business guidelines and procedures, which are described in actionable ways that are relevant to them.

Make it Pertinent

No matter who “owns” the program, it’s necessary that there is visible executive support and management buy-in. If the officers don’t care, the staff members won’t either. Effective training will not talk about tech buzzwords; rather, it will focus on changing habits. Relate cybersecurity awareness to your staff members’ individual life. (And while you’re at it, teach them how to keep themselves, their family, and their home safe. Odds are they do not know and are reluctant to ask).

To make security awareness training really relevant, obtain staff member concepts and motivate feedback. Measure success – such as, did the variety of external links clicked by workers go down? How about calls to tech assistance stemming from security violations? Make the training timely and real-world by consisting of current rip-offs in the news; regretfully, there are a lot of to choose from.

In short: Security awareness training isn’t enjoyable, and it’s not a silver bullet. Nevertheless, it is important for ensuring that dangerous staff member behaviors do not undermine your IT/CISO efforts to secure your network, devices, applications, and data. Make certain that you continuously train your employees, and that the training works.