Written By Charles Leaver Ziften CEO
Effective corporate cybersecurity assumes that people – your workers – do the best thing. That they do not hand over their passwords to a caller who claims to be from the IT department doing a “credentials audit.” That they do not wire $10 million to an Indonesian savings account after getting a midnight request from “the CEO”.
That they don’t set up an “urgent upgrade” to Flash Player based on a pop-up on a porn website. That they do not overshare on social media. That they do not store business info on file-sharing services outside the firewall. That they don’t link to unsecure WiFi networks. And they don’t click on links in phishing emails.
Our research study reveals that over 75% of security events are triggered or helped by staff member mistakes.
Sure, you have actually installed endpoint security, e-mail filters, and anti-malware services. Those precautions will most likely be for nothing, though, if your employees do the wrong thing time and again when in a dangerous situation. Our cybersecurity efforts resemble having an expensive car alarm: If you do not teach your teenager to lock the car when it’s at the shopping mall, the alarm is worthless.
Security awareness isn’t enough, of course. Employees will make errors, and there are some attacks that don’t need a worker bad move. That’s why you need endpoint security, email filters, anti-malware, etc. However let’s speak about effective security awareness training.
Why Training Often Doesn’t Have an Effect
First – in my experience, a great deal of employee training, well, is poor. That’s specifically true of online training, which is normally horrible. But most of the times, whether live or canned, the training lacks trustworthiness, in part because many IT professionals are poor and unconvincing communicators. The training often focuses on interacting and imposing guidelines – not changing risky habits and habits. And it resembles getting compulsory photocopier training: There’s absolutely nothing in it for the employees, so they don’t accept it.
It’s not about imposing rules. While security awareness training might be “owned” by various departments, such as IT, CISO, or HR, there’s typically a lack of understanding about exactly what a safe awareness program is. First of all, it’s not a checkbox; it needs to be continuous. The training needs to be delivered in different ways and times, with a combination of live training, newsletters, small-group discussions, lunch-and-learns, and yes, even resources online.
Securing yourself is not complex!
But a huge problem is the lack of objectives. If you have no idea what you’re aiming to do, you can’t see if you have actually done a good job in the training – and if risky behaviors really change.
Here are some sample objectives that can lead to effective security awareness training:
Provide employees with the tools to recognize and handle ongoing daily security threats they might get online and by means of email.
Let staff members understand they are part of the team, and they cannot simply rely on the IT/CISO teams to manage security.
Halt the cycle of “unintentional lack of knowledge” about safe computing practices.
Change state of minds towards more safe practices: “If you observe something, state something”.
Evaluation of company guidelines and procedures, which are discussed in actionable terms which relate to them.
Make it Appropriate
No matter who “owns” the program, it’s necessary that there is visible executive backiong and management buy-in. If the execs don’t care, the workers won’t either. Efficient training won’t discuss tech buzzwords; rather, it will focus on changing behaviors. Relate cybersecurity awareness to your workers’ personal life. (And while you’re at it, teach them the best ways to keep themselves, their family, and their house safe. Odds are they do not know and hesitate to ask).
To make security awareness training really pertinent, solicit worker ideas and encourage feedback. Procedure success – such as, did the number of external links clicked by staff members go down? How about contacts to tech assistance originating from security infractions? Make the training timely and real-world by including current rip-offs in the news; unfortunately, there are a lot of to choose from.
In other words: Security awareness training isn’t really enjoyable, and it’s not a silver bullet. However, it is vital for making sure that dangerous staff member habits do not undermine your IT/CISO efforts to protect your network, devices, applications, and data. Make certain that you continuously train your staff members, which the training works.