Written By Chuck Leaver Ziften CEO
Efficient business cybersecurity assumes that individuals – your workers – do the ideal thing. That they do not hand over their passwords to a caller who claims to be from the IT department doing a “qualifications audit.” That they do not wire $10 million to an Indonesian bank account after getting a midnight request from “the CEO”.
That they do not set up an “immediate upgrade” to Flash Player based on a pop-up on a porn site. That they don’t overshare on social networks. That they do not store business info on file sharing services outside the firewall software. That they do not connect to unsecure WiFi networks. And they do not click links in phishing emails.
Our research study shows that over 75% of security events are caused or aided by staff member errors.
Sure, you’ve installed endpoint security, e-mail filters, and anti-malware options. Those precautions will probably be for nothing, however, if your workers do the wrong thing time and again when in a dangerous scenario. Our cybersecurity efforts are like having an expensive automobile alarm: If you don’t teach your teenager to lock the vehicle when it’s at the shopping mall, the alarm is worthless.
Security awareness isn’t really enough, obviously. Workers will make mistakes, and there are some attacks that do not require a worker bad move. That’s why you require endpoint security, email filters, anti-malware, and so on. But let’s discuss effective security awareness training.
Why Training Typically Doesn’t Have an Effect
Initially – in my experience, a lot of staff member training, well, sucks. That’s specifically true of online training, which is generally terrible. However in most cases, whether live or canned, the training lacks trustworthiness, in part since many IT specialists are poor and unconvincing communicators. The training typically concentrates on communicating and implementing guidelines – not altering dangerous behavior and routines. And it’s like getting necessary photocopier training: There’s absolutely nothing in it for the workers, so they don’t buy into it.
It’s not about imposing rules. While security awareness training might be “owned” by different departments, such as IT, CISO, or HR, there’s frequently a lack of knowledge about exactly what a protected awareness program is. First of all, it’s not a checkbox; it needs to be continuous. The training must be given in various methods and times, with a combination of live training, newsletters, small group discussions, lunch-and-learns, and yes, even online resources.
Safeguarding yourself is not complex!
However a huge problem is the lack of goals. If you have no idea exactly what you’re aiming to do, you cannot see if you’ve done a good job in the training – and if risky habits actually alter.
Here are some sample objectives that can result in reliable security awareness training:
Offer workers with the tools to acknowledge and deal with ongoing everyday security hazards they may get online and by means of email.
Let employees know they become part of the group, and they cannot just rely on the IT/CISO teams to handle security.
Stop the cycle of “unintended ignorance” about safe computing practices.
Change frame of minds toward more safe practices: “If you see something, state something”.
Review of business rules and procedures, which are described in actionable terms which pertain to them.
Make it Relevant
No matter who “owns” the program, it’s vital that there is visible executive backiong and management buy-in. If the officers don’t care, the workers will not either. Effective training will not speak about tech buzzwords; rather, it will focus on changing behaviors. Relate cybersecurity awareness to your workers’ individual life. (And while you’re at it, teach them how to keep themselves, their household, and their house safe. Chances are they don’t know and are reluctant to ask).
To make security awareness training truly relevant, obtain employee ideas and encourage feedback. Procedure success – such as, did the variety of external links clicked by staff members go down? How about calls to tech assistance stemming from security violations? Make the training timely and real-world by including recent rip-offs in the news; sadly, there are numerous to choose from.
Simply put: Security awareness training isn’t enjoyable, and it’s not a silver bullet. Nevertheless, it is important for guaranteeing that dangerous staff member habits don’t weaken your IT/CISO efforts to protect your network, devices, applications, and data. Make sure that you continually train your employees, and that the training works.