Written By Chuck Leaver Ziften CEO
Effective business cybersecurity assumes that individuals – your staff members – do the right thing. That they don’t hand over their passwords to a caller who claims to be from the IT department doing a “qualifications audit.” That they don’t wire $10 million to an Indonesian checking account after getting a midnight demand from “the CEO”.
That they do not install an “urgent update” to Flash Player based upon a pop-up on a pornography site. That they don’t overshare on social media. That they don’t save company details on file-sharing services outside the firewall. That they do not connect to unsecure WiFi networks. And they do not click on links in phishing e-mails.
Our research shows that over 75% of security incidents are caused or assisted by staff member errors.
Sure, you’ve set up endpoint security, email filters, and anti-malware solutions. Those safety measures will most likely be for nothing, though, if your workers do the incorrect thing time and again when in a harmful circumstance. Our cybersecurity efforts resemble having an expensive vehicle alarm: If you don’t teach your teenager to lock the automobile when it’s at the shopping center, the alarm is worthless.
Security awareness isn’t enough, naturally. Staff members will make errors, and there are some attacks that do not need a staff member misstep. That’s why you need endpoint security, email filters, anti-malware, etc. But let’s discuss efficient security awareness training.
Why Training Typically Doesn’t Have an Impact
First – in my experience, a great deal of staff member training, well, is poor. That’s particularly true of online training, which is normally terrible. However most of the times, whether live or canned, the training lacks credibility, in part due to the fact that lots of IT experts are poor and unconvincing communicators. The training typically concentrates on communicating and enforcing guidelines – not changing risky habits and habits. And it’s like getting mandatory copy machine training: There’s absolutely nothing in it for the staff members, so they don’t take it on board it.
It’s not about imposing rules. While security awareness training might be “owned” by different departments, such as IT, CISO, or HR, there’s often a lack of knowledge about exactly what a safe awareness program is. First off, it’s not a checkbox; it needs to be continuous. The training must be delivered in various methods and times, with a combination of live training, newsletters, small-group discussions, lunch-and-learns, and yes, even resources online.
Securing yourself is not complex!
But a huge issue is the absence of objectives. If you don’t know what you’re attempting to do, you cannot see if you have actually done an excellent task in the training – and if dangerous behaviors actually alter.
Here are some sample goals that can cause reliable security awareness training:
Supply workers with the tools to acknowledge and deal with ongoing daily security hazards they might get online and through email.
Let workers understand they belong to the team, and they can’t just rely on the IT/CISO groups to manage security.
Stop the cycle of “unintended lack of knowledge” about safe computing practices.
Modify state of minds towards more secure practices: “If you observe something, state something”.
Evaluation of business guidelines and procedures, which are explained in actionable ways that relate to them.
Make it Appropriate
No matter who “owns” the program, it’s essential that there is visible executive backiong and management buy-in. If the execs don’t care, the staff members will not either. Reliable training won’t discuss tech buzzwords; instead, it will focus on altering habits. Relate cybersecurity awareness to your employees’ individual life. (And while you’re at it, teach them how to keep themselves, their family, and their home safe. Chances are they don’t know and hesitate to ask).
To make security awareness training genuinely relevant, obtain staff member concepts and encourage feedback. Measure success – such as, did the variety of external links clicked by workers decrease? How about calls to tech assistance coming from security offenses? Make the training timely and real-world by including current rip-offs in the news; regretfully, there are so many to choose from.
In other words: Security awareness training isn’t really fun, and it’s not a silver bullet. However, it is necessary for guaranteeing that risky staff member habits don’t weaken your IT/CISO efforts to protect your network, devices, applications, and data. Make certain that you constantly train your workers, and that the training works.