How to improve your company’s cybersecurity training
Amongst the many things that have been impacted by COVID-19, workplace training programs, especially cyber security training, is probably one that has fallen off the radar. Understandably, many businesses have been focused on training and preparedness programs to help their employees and clients navigate the adoption of new technologies and processes whilst working remotely.
Learning about online security and mitigating threats from the rising number of phishing and man-in-the-middle attacks is something that is typically handled by an organisation’s IT department, which is challenging to execute while most companies are working fully remote.
Despite the environment we are working in, there are three things an organisation can do to improve the value of their cybersecurity training for their business and staff.
Resourcing
Remote work can distance employees from essential security training staff and the messages they bring. Simply issuing digital content and telling staff “watch this video to complete your training” does not replace impactful face-to-face or virtual interactions with the organisation’s security experts. Ensuring that the cyber safety training is properly resourced is important, especially as more people are working from home and may be using their personal devices for work purposes.
It is more effective if the training program has the proper number of experts running the program to ensure high quality training, that is tailored to the teams or individuals receiving the training. If an organisation approaches security training with a “check the box” mentality, without emphasising the quality of the actual material, then it is most likely the effectiveness of the training will fall short.
In an ideal world, this shift to remote work will be the catalyst organisations need to embrace a more tailored security awareness training approach that accounts for an employee’s job, location, access, experience level, and other demographic characteristics. When we return to a more normal workplace life, hopefully this mindset sticks and organisations will be in a better position to continue to adapt and improve our security awareness programs.
One size does not fit all
When it comes to security training, it is best to customise the material for the employees – there is no one approach that will be relevant for every team. While opportunistic cybercriminals tend to target as many people as possible, employees such as senior managers, HR and IT administrators are more appealing targets because these groups of employees have access to the type of confidential data and secure information that can be compromised and has the most value or potential for disruption. As hackers and scammers target their potential victims in different ways, it is imperative that any cyber training takes this into account and prepares its cyber training programs accordingly.
In addition to factoring the different types of attacks, workshops or lessons should consider what is most relevant to the team or department receiving the training because what is essential information to your legal or IT teams, may not be impactful knowledge for your marketing or administration staff.
When mapping out your training program do not forget to include KPI’s and measurements so that you can monitor the success of the employee cybersecurity training. As online risks and threats continue to evolve, so should your program. Having training outcome metrics will be useful when assessing any failures or areas of improvement and will ultimately help attain your security training goals.
Taking the pressure off employees
Similar to health or road safety campaigns, prevention is the best approach but this is not an easy task when you’re managing a large number of employees. One way of reducing the risk of human error is to create cybersecurity processes that are simple and do not burden your employees with numerous options. This could include the IT team setting up employee’s accounts with strong passwords during onboarding.
While IT teams should assist employees with proper password management, two-factor authentication (2FA) should also be leveraged company-wide. 2FA is when a user is required to provide their username and password, including something additional, like a one-time code or security key. When using a security key, users tap the key when prompted, proving that they are present at the device and should rightfully gain access, rather than it being a remote hacker. When conducting a company’s security training, 2FA should absolutely be included in the material.
Simplifying the 2FA options and setting clear expectations of which ones to use is not only beneficial but also less complicated for employees. If all businesses could implement strong security practices and also deliver effective cybersecurity training to their team, then the organisation can successfully prevent company breaches and will ultimately benefit as a whole.
Geoff Schomburgk is vice president, Australia & New Zealand, at authentication and security key specialist Yubico. He has over 25 years experience in the global Information & Communications Technology (ICT) industry.