Written By Chuck Leaver Ziften CEO
Efficient business cybersecurity presumes that individuals – your workers – do the ideal thing. That they don’t turn over their passwords to a caller who declares to be from the IT department doing a “credentials audit.” That they don’t wire $10 million to an Indonesian checking account after getting a midnight demand from “the CEO”.
That they don’t install an “urgent upgrade” to Flash Player based on a pop-up on a pornography website. That they do not overshare on social networks. That they don’t keep business information on file sharing services outside the firewall. That they do not link to unsecure WiFi networks. And they do not click links in phishing emails.
Our research shows that 75+% of security events are caused or aided by staff member mistakes.
Sure, you’ve set up endpoint security, email filters, and anti-malware services. Those preventative measures will most likely be for nothing, though, if your employees do the incorrect thing time and again when in a harmful scenario. Our cybersecurity efforts are like having an elegant vehicle alarm: If you don’t teach your teen to lock the car when it’s at the mall, the alarm is worthless.
Security awareness isn’t enough, naturally. Staff members will make mistakes, and there are some attacks that don’t need an employee error. That’s why you need endpoint security, email filters, anti-malware, etc. But let’s speak about reliable security awareness training.
Why Training Typically Fails to Have an Impact
Initially – in my experience, a great deal of staff member training, well, is poor. That’s particularly true of online training, which is usually horrible. But in many cases, whether live or canned, the training does not have credibility, in part since lots of IT experts are poor and unconvincing communicators. The training frequently concentrates on interacting and implementing rules – not altering risky habits and routines. And it resembles getting mandatory copy machine training: There’s absolutely nothing in it for the employees, so they don’t accept it.
It’s not about implementing guidelines. While security awareness training msy be “owned” by various departments, such as IT, CISO, or HR, there’s typically a lack of understanding about exactly what a safe and secure awareness program is. To start with, it’s not a checkbox; it has to be continuous. The training must be delivered in various methods and times, with a combination of live training, newsletters, small-group conversations, lunch-and-learns, and yes, even resources online.
Securing yourself is not complicated!
But a huge issue is the absence of objectives. If you do not know what you’re trying to do, you cannot see if you’ve done a good task in the training – and if dangerous behaviors in fact alter.
Here are some sample objectives that can cause reliable security awareness training:
Supply staff members with the tools to recognize and deal with ongoing daily security dangers they may receive online and through e-mail.
Let workers understand they are part of the team, and they can’t just count on the IT/CISO groups to handle security.
Halt the cycle of “unexpected ignorance” about safe computing practices.
Modify state of minds toward more safe practices: “If you see something, say something”.
Review of company rules and procedures, which are described in actionable terms which relate to them.
Make it Pertinent
No matter who “owns” the program, it’s vital that there is visible executive support and management buy-in. If the execs don’t care, the employees will not either. Reliable training will not speak about tech buzzwords; instead, it will focus on changing habits. Relate cybersecurity awareness to your employees’ personal life. (And while you’re at it, teach them ways to keep themselves, their household, and their house safe. Odds are they do not know and are reluctant to ask).
To make security awareness training really relevant, get employee concepts and motivate feedback. Measure success – such as, did the number of external links clicked by workers decrease? How about calls to tech support originating from security infractions? Make the training timely and real-world by including current scams in the news; sadly, there are numerous to select from.
In short: Security awareness training isn’t enjoyable, and it’s not a silver bullet. However, it is necessary for guaranteeing that risky employee behaviors don’t weaken your IT/CISO efforts to secure your network, devices, applications, and data. Ensure that you continuously train your staff members, and that the training works.