Covid-19 has led to an increase in cyber-attacks, phishing scams, and malicious activity, making Information Security awareness training more important now than ever before. Cyber-criminals are constantly developing their techniques and strategies, so Information Security awareness training provided to members of your team needs to do the same.
What are some of the challenges?
Lack of importance
Most companies don’t see the need or importance for Information Security awareness training if they have never encountered a large-scale cyber-attack and put their trust into their employees to manage any small-scale threats.
Lack of consistency
By offering Information Security awareness training, employee awareness of data breaches and attacks can be dramatically improved with consistent training. However, if your training programs aren’t consistent, your employees will forget the training and hackers will evolve their methods to try and compromise your business.
Lack of support, budget, and time
Information Security awareness training professionals are restricted in their ability to execute. The top constraints cited are lack of support from leadership teams, limited budget, and lack of time. Among these, a lack of leadership support has the greatest effect on the security awareness training. When there is a check box mentality, the lowest cost is often the decisive factor in determining which program to use and the low-cost option isn’t always the best.
Lack of engaging materials
Engaging materials can be a better way for people to learn. Additionally, everyone's learning style differs. Unfortunately, there is all too often nothing in place or what is in place is just standard checklists and very mundane tests. The materials might not be appropriate for the organisation and the needs of employees.
Defining, collecting, and reviewing performance metrics
A common challenge is defining, collecting, and reviewing performance metrics. If you don’t consider doing this, there is no way to know whether the training is truly successful in achieving its objectives or not. You don’t know whether you’re wasting money or just proving value.
Poor governance is one of the biggest gaps in all awareness training. Information security procedures usually sit on the shelves, expect when auditors ask to see them to ensure that they exist. Governance should make sure a security training program is not an accident but a well-defined purposeful activity.
What are our top tips?
1. Leadership support
Senior leadership should be driving the Information Security awareness training at the top. As leadership, you should be talking to your employees on their terms. The aim is to talk to your employees in high-level business terms about what they are unaware of and what they need to be taught in regard to Information Security. Train your employees on the fundamentals – why the training is important, how it will impact their specific roles, what the risks are, and how managing the risks support them as individuals as well as the organisation. This shouldn’t be seen as a compliance or checkbox exercise.
2. Foster a culture of questioning and improvement
It is important to foster a culture of questioning and improvement within your organisation. Information Security awareness isn’t just for IT staff to deal with – it should be something that all departments are involved in. Including other departments ensures that the eyes, ears, and voices of the security system will be people both inside and outside of the security department.
It is essential to foster free and open communication among your employees and encourage questioning for them to be able to interact openly in the workplace about any security threats. As leadership, you should encourage your employees to think about things and question existing processes – rather than just sticking with the same process. If certain processes aren’t working, your employees should think about the ways to fix these areas and put these concerns forward.
"Embedding a culture of questioning and improvement can have broader business benefits outside of just Information Security."
3. Drive individual teams to take ownership of their own security awareness training
It is important that you drive your individual teams to take ownership of their own security awareness training, on top of broad company-wide training. An organisation that promotes this can transform their employees into pro-active and engaged drivers of security awareness training performance.
Individual teams that are empowered to take ownership are typically more agile and resilient to security incidents. It allows them to be act fast when a cyber security attack is presented to them.
Employees who think and act independently may also stimulate change and contribute to continuous improvement of the security awareness training programs. This can lead to a more effective and efficient program and can push the businesses in a better direction.
4. Don't punish mistakes
Employees should believe that they can openly voice whatever concerns they have or report anything that they are worried about without feeling patronised. Too frequently, security risks and threats go unnoticed due to staff not speaking up and reporting incidents or problems that they may have in regard to their training. Ensuring that along with having the relevant training, employees feel comfortable enough to approach management and IT teams about their concerns or mistakes is crucial. It is often that the weaknesses come from the training itself rather than the individual’s knowledge so unless this is a recurring issue that hasn’t been addressed, punishment should be avoided.
Punishing your employees for clicking on phishing links for example, can drive fear and promote shame and secrecy around security incidents rather than encouraging sharing the information.
5. Tailored training so that it is not patronising
The most effective security awareness training delivers the right level of training and knowledge to the right people, at the right time. This means delivering training tailored to the industry of your organisation and the roles of your employees at the most teachable moments. When building and improving your security awareness training, consider the right level of knowledge so that your employees don’t feel patronised and continue integrating training exercises into your employee’s daily workflow.
Ensure that you understand and consider your employee’s knowledge appropriately when developing the material. Some groups will have some experience, while others don’t, and this should be expressed in the training. You should also design your training curriculum to be progressively more challenging over time.
6. Different forms of delivery / learning styles
Before building and developing your security awareness training material, consider all of the different learning styles or forms of delivery and incorporate a mixture of them into your program. This will make your training more effective and engaging.
The different learning styles have been mentioned above in the challenges section – aural learners, visual learners, kinaesthetic learners and reading learners. It is important that you don’t just rely on Computer-Based Training (CBT) or one type of CBT as people learn differently and don’t always take too well to the slideshow or lecture methods. The fact is that they are not entertaining or engaging formats for your employees and fail to raise the interest of employees in the same way that a video or interactive content does.
7. Make it relevant to real life
If your employees can see how what you are teaching them can benefit them in their personal lives, they are more likely to adopt it. You should introduce real use cases and examples that relate to both the organisation and their role where possible.
Cyber-crime against employees is often personal. For example, cyber-criminals use phishing designed to home in on an individual’s personal aspects. A phishing email often uses tricks like key events which affect people at a personal level. While spear-phishing attacks different individuals and uses their organisation or specific role to personalise an email scam.
8. Measure success
You should set some clear objectives around individuals and teams in regard to security training and try where possible to link these back to the security incidents and issues that occur within your organisation. Some methods of measuring the success of your security awareness programs include but are not limited to employee feedback (could be through surveys), monitoring behavioural change and monitoring the number and type of security incidents experienced before and after training.
You should then use that data to drive continued improvement and future learning curriculums, and correlate what is happening in the business to the effectiveness of the training.