With the COVID-19 pandemic now going into its second year, the remote Workforce is guaranteed to be the norm now for a long time to come. In this regard, Cybersecurity will be the focal point again. Employees have often been blamed for being the weakest point in the security chain, and to some degree this is true. Mistakes are made, whether they are intentional or not. Many people ask why this is the case, and it comes down to two basic things:
- Employees follow by example. For example, if the C-Suite and their direct managers don’t maintain proper levels of Cyber Hygiene, why should they?
- Employees are not held accountable enough for their actions;
- Employees are just dismissive of the Security Training that they receive.
In the case of the third point, yes, employees should follow through on what they have been taught. But also, the people giving the actual training have to be held accountable as well. Nobody really wants to sit through a boring lecture, but rather, if the employees were stimulated enough in it, there are greater chances that they will retain what they have learned, and even practice it.
In this article, we examine some key areas as to how you make this happen.
The Components of An Effective Security Training Program
The bottom line is that in order for your employees to remember and put into motion what they have learned, it takes a combination of making the training scary, fun, exciting, competitive, etc. Here are some techniques that you can use:
- Make them laugh:
Yes, Cybersecurity is a very serious thing, but you know what? Remember this old saying, laughter is one of the best forms of medicine? It is, but recent studies have also shown that laughter is also one of the best ways in order to cultivate a sense of trust and goodwill amongst your employees in order to make them learn. (SOURCE: 1). One good way to make this happen is to have your employees perform in various funny skits, which simulate a real-world security breach. For instance, you can have one play the role of a Cyberattacker, while the other plays the role of the administrative assistant. In this regard, you can mimic a Social Engineering call in which the goal is to wire a large sum of money from the company into a phony, offshore bank account.
- Introduce variety:
One of the very worst things that you can do in a Cyber Training program is to give a lecture-style format going on and on for a long period of time. This is a guaranteed way to lose the interest level of your employees just in the first 10 minutes. So instead, mix up the training program by implementing a sense of variety into it. For instance, the first part can be a lecture about Phishing Emails, then a game, followed by a real-life story. With this kind of approach, one can almost bet that your employees will walk away after the training is over with a much better sense as to how to identify a Phishing Email, and the corrective steps that need to be taken after one has actually been received.
- Make videos:
At the end of the Cyber training, one of the best ways to recap the major points is to put them all into a video, which can also add a further avenue for more variety. It is important to keep this video short, no more than 4-5 minutes in total length. Once again, the video should not be about someone just talking, it should also be somewhat engaging as well, such as making use of cartoon-like characters in order to keep up the interest level up of your employees.
- Utilize the concepts of Gamification:
As the name implies, you make your training a game. In other words, it’s like filling in a jigsaw puzzle. You put in some of them, but then motivate your employees to put in the rest of the pieces. First, you have to introduce them to the issue of what you want to teach. For example, it could be about Ransomware. In this instance, you instruct them as to how this threat variant actually takes place (no need to get into all the technicalities here – if you do so, you will lose them instantly). Then, after you have done this, you engage your employees with simulation exercises in order to garner their interest further. But to motivate them even more, you award points and recognition badges after they have accomplished a particular task with success. For example, if they have successfully detected the beginnings of an attack (such as getting a Phishing Email), then you will award them with an honorary badge by taking the right steps to mitigate, such as deleting the Email and notifying the IT Security team about it. If you use Gamification in your Cyber training, it is important to break your employees off into teams in order to foster a more collaborative environment.
- Make the training relatable:
One of the best ways, in order to make your employees the full ramifications of a Cyberattack, is to actually talk about a real-world scenario in which it actually occurred. But, in order to make its full impact, you need to bring it out in a way in which it has impacted somebody that they are close to, such as another coworker. But more importantly, it will make the strongest impression if you can bring this person in that has been impacted to directly talk about it. For example, if an employee in your company has become a victim of Identity Theft, perhaps you can get that person to discuss how he or she found about it, how it affected their daily lifestyle, and the steps that they have taken to mitigate the risks of this from happening again in the future.
It is very important to remember that Cyber Training is not just a one-and-done deal. You need to keep having these kinds of programs on a regular basis in order to keep your employees’ level of Cyber Hygiene at their highest possible levels. So remember these pointers:
- Have your training sessions at least once a month, at a minimum, once a quarter;
- Keep them no longer than one hour in total length, anything after that, you are guaranteed of losing the attention span of your employees;
- Make sure that you are reinforcing the concepts that you have been teaching. For example, from time to time, execute a mock Phishing attack to see how many employees fall prey to it after they have completed their training;
- Make use of metrics in order to quantify the ROI that your company is getting from the Cyber training. This is all that your CIO and/or CISO will want to see, and if you can provide these kinds of numbers, you will have a much better shot in getting more funding for future Cyber Awareness programs.