How to improve your company’s cybersecurity training

By Geoff Schomburgk, Vice President, Australia & New Zealand, Yubico
Geoff Schomburgk, VP, Australia and NZ at Yubico highlights three things an organisation can do to improve the value of their cybersecurity training

Amongst the many things that have been impacted by COVID-19, workplace training programs, especially cyber security training, is probably one that has fallen off the radar. Understandably, many businesses have been focused on training and preparedness programs to help their employees and clients navigate the adoption of new technologies and processes whilst working remotely.

Learning about online security and mitigating threats from the rising number of phishing and man-in-the-middle attacks is something that is typically handled by an organisation’s IT department, which is challenging to execute while most companies are working fully remote.

Despite the environment we are working in, there are three things an organisation can do to improve the value of their cybersecurity training for their business and staff.

Resourcing

Remote work can distance employees from essential security training staff and the messages they bring. Simply issuing digital content and telling staff “watch this video to complete your training” does not replace impactful face-to-face or virtual interactions with the organisation’s security experts. Ensuring that the cyber safety training is properly resourced is important, especially as more people are working from home and may be using their personal devices for work purposes.

It is more effective if the training program has the proper number of experts running the program to ensure high quality training, that is tailored to the teams or individuals receiving the training. If an organisation approaches security training with a “check the box” mentality, without emphasising the quality of the actual material, then it is most likely the effectiveness of the training will fall short.

In an ideal world, this shift to remote work will be the catalyst organisations need to embrace a more tailored security awareness training approach that accounts for an employee’s job, location, access, experience level, and other demographic characteristics. When we return to a more normal workplace life, hopefully this mindset sticks and organisations will be in a better position to continue to adapt and improve our security awareness programs.

One size does not fit all

When it comes to security training, it is best to customise the material for the employees – there is no one approach that will be relevant for every team. While opportunistic cybercriminals tend to target as many people as possible, employees such as senior managers, HR and IT administrators are more appealing targets because these groups of employees have access to the type of confidential data and secure information that can be compromised and has the most value or potential for disruption. As hackers and scammers target their potential victims in different ways, it is imperative that any cyber training takes this into account and prepares its cyber training programs accordingly.

In addition to factoring the different types of attacks, workshops or lessons should consider what is most relevant to the team or department receiving the training because what is essential information to your legal or IT teams, may not be impactful knowledge for your marketing or administration staff.  

When mapping out your training program do not forget to include KPI’s and measurements so that you can monitor the success of the employee cybersecurity training. As online risks and threats continue to evolve, so should your program. Having training outcome metrics will be useful when assessing any failures or areas of improvement and will ultimately help attain your security training goals.

Taking the pressure off employees

Similar to health or road safety campaigns, prevention is the best approach but this is not an easy task when you’re managing a large number of employees. One way of reducing the risk of human error is to create cybersecurity processes that are simple and do not burden your employees with numerous options. This could include the IT team setting up employee’s accounts with strong passwords during onboarding.  

While IT teams should assist employees with proper password management, two-factor authentication (2FA) should also be leveraged company-wide. 2FA is when a user is required to provide their username and password, including something additional, like a one-time code or security key. When using a security key, users tap the key when prompted, proving that they are present at the device and should rightfully gain access, rather than it being a remote hacker. When conducting a company’s security training, 2FA should absolutely be included in the material.

Simplifying the 2FA options and setting clear expectations of which ones to use is not only  beneficial but also less complicated for employees. If all businesses could implement strong security practices and also deliver effective cybersecurity training to their team, then the organisation can successfully prevent company breaches and will ultimately benefit as a whole.

Geoff Schomburgk is vice president, Australia & New Zealand, at authentication and security key specialist Yubico. He has over 25 years experience in the global Information & Communications Technology (ICT) industry.

Share

Featured Articles

People Moves: Pine Labs, Deutsche Bank, McKinsey, Fortinet

Pine Labs names former Amazon exec as chief people officer, Fortinet hires government affairs leader for APAC, McKinsey India poaches Accenture HR exec

Dialight envisions a world of industrial safety with LEDs

Reliance on inefficient lighting technologies are not only harmful to the environment, but also increase injury risk and cost

Top 10: Must-see speakers at TECH LIVE LONDON 2022 event

Technology leaders from IBM, Oracle, Vodafone, JP Morgan, Accenture and the US Space Force are among the 80-plus speakers at upcoming TECH LIVE LONDON

Vodafone Business cyber leader Kawalec speaks at Cyber LIVE

Leadership & Strategy

Twitter timeline – how Musk pulled off a hostile takeover

Leadership & Strategy

Top 10 Asia restaurants, from Tokyo’s Den to Bangkok’s Sorn

Leadership & Strategy