Chuck Leaver – Make Your Security Awareness Training Count

Written By Chuck Leaver Ziften CEO

 

Reliable business cybersecurity assumes that people – your workers – do the best thing. That they don’t turn over their passwords to a caller who declares to be from the IT department doing a “credentials audit.” That they do not wire $10 million to an Indonesian savings account after getting a midnight demand from “the CEO”.

That they don’t install an “immediate update” to Flash Player based on a pop-up on a porn site. That they do not overshare on social media. That they don’t save company information on file-sharing services outside the firewall software. That they don’t link to unsecure WiFi networks. And they don’t click on links in phishing emails.

Our research study reveals that over 75% of security incidents are triggered or helped by employee errors.

Sure, you’ve set up endpoint security, email filters, and anti-malware options. Those precautions will most likely be for nothing, though, if your staff members do the incorrect thing time and again when in a hazardous circumstance. Our cybersecurity efforts are like having a fancy vehicle alarm: If you don’t teach your teenager to lock the vehicle when it’s at the shopping mall, the alarm is worthless.

Security awareness isn’t really enough, obviously. Employees will make errors, and there are some attacks that do not need a worker misstep. That’s why you need endpoint security, email filters, anti-malware, and so on. But let’s discuss reliable security awareness training.

Why Training Often Doesn’t Have an Effect

First – in my experience, a lot of employee training, well, sucks. That’s especially true of training online, which is normally awful. However in most cases, whether live or canned, the training lacks credibility, in part due to the fact that many IT specialists are poor and unconvincing communicators. The training frequently focuses on interacting and enforcing rules – not changing risky behavior and habits. And it resembles getting necessary copy machine training: There’s absolutely nothing in it for the staff members, so they don’t take it on board it.

It’s not about imposing rules. While security awareness training might be “owned” by various departments, such as IT, CISO, or HR, there’s often a lack of knowledge about exactly what a safe awareness program is. First of all, it’s not a checkbox; it has to be continuous. The training must be delivered in various methods and times, with a combination of live training, newsletters, small-group conversations, lunch-and-learns, and yes, even online resources.

Safeguarding yourself is not complicated!

However a huge issue is the lack of goals. If you have no idea what you’re aiming to do, you can’t see if you have actually done a good job in the training – and if risky behaviors really alter.

Here are some sample goals that can cause reliable security awareness training:

Offer staff members with the tools to acknowledge and handle continuous day-to-day security dangers they may receive online and by means of email.

Let workers know they become part of the group, and they cannot just rely on the IT/CISO groups to manage security.

Stop the cycle of “unexpected lack of knowledge” about safe computing practices.

Modify mindsets toward more safe and secure practices: “If you see something, state something”.

Evaluation of business guidelines and procedures, which are described in actionable ways that are relevant to them.

Make it Appropriate

No matter who “owns” the program, it’s necessary that there is visible executive support and management buy-in. If the officers don’t care, the staff members won’t either. Effective training won’t talk about tech buzzwords; instead, it will concentrate on changing habits. Relate cybersecurity awareness to your staff members’ personal life. (And while you’re at it, teach them how to keep themselves, their household, and their home safe. Chances are they do not know and are reluctant to ask).

To make security awareness training really pertinent, obtain employee concepts and motivate feedback. Procedure success – such as, did the number of external links clicked by staff members decrease? How about calls to tech assistance originating from security offenses? Make the training timely and real-world by including current frauds in the news; unfortunately, there are so many to select from.

In other words: Security awareness training isn’t really fun, and it’s not a silver bullet. Nevertheless, it is necessary for making sure that dangerous worker habits don’t weaken your IT/CISO efforts to secure your network, devices, applications, and data. Make sure that you continually train your employees, which the training works.

 

~leaverchuck1


No Responses Yet to “Chuck Leaver – Make Your Security Awareness Training Count”

Leave a Reply