How to Make Your Employer Fix Their Terrible Cybersecurity Training
Explore why effective cybersecurity training is key in today’s high-threat digital landscape, and how employers can improve their programs for all.
In today’s world, with new cyber threats emerging daily, with new zero-day exploits and vulnerabilitieseverywhere, and with hackers regularly turning to artificial intelligence to make their attacks even more devastating, practicing cybersecurity needs to be as innate as breathing. Like an athlete’s muscle memory or the reactions of highly trained special forces, your cybersecurity practices need to be instinctive –an involuntary, yet well-honed response. This is crucial not only in our work environments but also in our personal lives, where the threat of cyberattacks is equally prevalent.
The only way for that to happen is through practice and effective cybersecurity training. Unfortunately, the only real place most people get cybersecurity training is through their employer. And the current state of employer-conducted cybersecurity training is usually dull and ineffective.
The Current State of Cybersecurity Training
Most cybersecurity training offered by employers is inadequate to actually improve cybersecurity skills. The typical “check the box” style of training – with its uninteresting videos and quizzes – fails to truly educate or motivate. The training is generally conducted to meet a company’s minimum obligations, such as regulatory or insurance requirements, rather than to improve cybersecurity skills or awareness.
Even in situations where employees retain any of the training they receive, the training often fails to connect the dots between what is learned in training and the real-world consequences of cybersecurity lapses.
In one concerning study from the UK, only a third of government employees acknowledged the impact of their actions on organizational security. More troubling was the revelation that a significant portion hadn’t reported phishing emails and a worrying 21% reported that they did not care if their organization was hacked. These figures are troublesome in two ways – not only do employees lack appropriate cybersecurity awareness, but a significant number don’t even consider it important.
The High Cost and Impact of a Data Breach
What these statistics reveal is a fundamental lack of understanding about how cybersecurity failures can impact all levels of an organization or business. The high costs associated with data breaches, including remediation, public relations, reputation repair, and potential legal liabilities are significant and only getting more expensive. The financial implications of a data breach extend far beyond executive bonuses or stock options – they can lead to severe consequences like personnel cuts and even the closure of entire business sections.
For small and medium-sized businesses, the threat is even more dire. For those businesses, there’s a 50% chance that a major data breach could shut down a small business within six months, permanently, due to the inability to afford the fallout.
Instead, there’s a strong argument that by illustrating the tangible consequences of cyber incidents, such as the financial impact of clicking on a phishing link, the training could become more relevant and impactful.
A Personal Call to Action
The common perception among employees we’ve talked to is routinely that the cybersecurity training they receive is at best marginally effective and often uninteresting. Neither of us enjoys delivering training to uninterested participants; we always prefer an engaged and attentive audience. You don’t just need “better” cybersecurity training, you need GOOD cybersecurity training.
The quality of the training needs to be significantly improved, moving away from the ineffective and dull approach that is currently prevalent. Cybersecurity training should be based on interactive and entertainingmethods that not only impart knowledge but also simulate real-world scenarios. Better engagement and interest in cybersecurity training are essential for its effectiveness. So how does it happen?
Well, it’s going to have to come from you. Your employer has an incentive to improve cybersecurity training, but usually lacks the necessary motivation to change their existing system. Inertia is difficult to overcome. You, your co-workers, and everyone in the company need to advocate for improved cybersecurity training. The benefits for the company should make the improvements an easy sell. All that’s left is telling your employers how to do it. Fortunately, we’ve got you covered. Here are 4 ways your employer can stop failing at cybersecurity training:
1. You Need Dedicated Time for Cybersecurity Training
One of the most frequently raised complaints, both in surveys and conveyed to us directly, is that employees often lack sufficient time in their schedules for cybersecurity training. This scarcity of time is exacerbated by the prevalent approach of companies mandating online modules to be completed within broad deadlines, expecting employees to fit training into already packed schedules.
In most workplaces, cybersecurity training is viewed as an additional task, often relegated to the bottom of the priority list. It’s seen more as a compliance requirement than an integral part of the job. This perception leads to minimal engagement and retention, with employees often multitasking during training sessions, thereby absorbing very little. We don’t blame those employees, though. It’s absurd to expect employees to learn and retain information under such conditions. You would retain more if it were read to you while you slept!
Fortunately, the solution is clear: companies need to allocate dedicated time specifically for cybersecurity training. This approach involves adjusting expectations to accommodate training time, treating it as an essential part of the job rather than an extra task to be squeezed in. For most companies, an adequate cybersecurity training program could be conducted quarterly or semi-annually, but the key is ensuring this training is given the time and importance it deserves within the workday. This shift in approach is crucial for employees to genuinely engage with and benefit from cybersecurity training.
2. Ensure Cybersecurity Training is Relevant
It might seem obvious, but one of the biggest improvements that can be made to most cybersecurity training would be to cover scenarios employees actually encounter in their jobs. Situations must be tailored to reflect realistic and frequently encountered situations. This aspect of training is often overlooked, resulting in generic, less effective programs.
A significant cause of the problem is frequently a major disconnect between those conducting the training and those involved in active cybersecurity roles. Often, training is managed by teams not directly engaged with operational cybersecurity, such as HR or compliance departments, leading to a gap in addressing the real challenges faced by employees. To bridge this gap, those conducting cybersecurity training should collaborate closely with operational cybersecurity teams to identify the most pressing threats and tailor training accordingly. This approach focuses on the specific problems employees face, such as malware installation, phishing attacks, or unauthorized software use, thereby making the training more relevant and impactful.
Additional importance should be put on targeting the right employees with specific training. For instance, those involved in phone-based roles should be trained to recognize and respond to social engineering attempts. Employees handling payment processing need to be able to detect requests intended to circumvent established procedures through manipulation. The training should not only teach employees how to identify suspicious activities but also instruct them on the proper procedures to validate and verify requests, especially those that seem unusual or sketchy.
Critically, employees should not fear repercussions for following established procedures, even in the face of pressure from higher-ups. Employees face complex dynamics when dealing with potential cybersecurity threats, so emphasizing the need for clear, practical, and relevant cybersecurity training in the workplace is critical.
3. Ensure Cybersecurity Training is Interesting
The third critical area of improving cybersecurity training involves how it is delivered. Cybersecurity training should be interactive, engaging, and interesting, with a focus on participation and involvement. This approach contrasts sharply with traditional, often passive training methods.
The effectiveness of cybersecurity training heavily depends on the audience’s understanding and the relevance to their specific roles. For instance, training for a cybersecurity solutions provider would differ significantly from that of a grocery retailer, given the distinct nature of threats each face and the capabilities each company’s team members are expected to deploy. Understanding the business model and associated cyber threats is crucial in developing targeted and effective training.
One key way to make cybersecurity training more interesting is to use the “gamification” approach. Although we feel the term is too frequently used and misused, we can’t emphasize enough that adding competitive and collaborative elements can significantly increase participation and retention. An excellent example is an IT service provider that used a gamified approach, involving a scoreboard and real-time competition, to make the training more engaging. This approach not only made the training more interactive but also showed how collaboration could lead to better outcomes.
Cybersecurity training should not just be about content delivery; it’s also about how the content is presented and interacted with. Engaging training methods that encourage active participation can dramatically increase what employees retain. Moreover, by demonstrating the relevance and importance of cybersecurity through well-constructed, interactive training sessions, employers can inspire their teams to take cybersecurity more seriously. It is the responsibility of employers to provide training that not only educates but also motivates and engages their employees. This is essential for developing a strong cybersecurity culture within the organization.
4. Everyone Gets Cybersecurity Training
The fourth and final improvement your employer needs to make to their cybersecurity training concerns the necessity of training everyone in the organization, regardless of their role or schedule. No one, even those in the C-suite, should be exempt from cybersecurity training. The training must be designed, scheduled, and conducted in a way that ensures universal participation.
How do you convince your employer to do this? We suggest quantifying the impact. Employees, particularly those at the executive level, need to understand that the business can only be as secure as its least protected part. Threat actors often target the weakest link, and if that happens to be an under-trained C-suite, it poses a significant risk not just to the organization’s cybersecurity but also to its overall health. This was underscored by alarming survey results indicating a staggering disregard for cybersecurity best practices among C-level executives, highlighting behaviors like password sharing and bypassing security measures.
Training should include emphasis on the importance of adhering to the least privilege model in cybersecurity. Training should not just explain the ‘why’ but also demonstrate the consequences of not following such protocols. This includes making C-suite executives understand and accept that they might not need access to all company information and systems.
Cybersecurity training should also be performed together. By training alongside workers of all different levels, you break down silos and ensure that everyone understands their specific roles and responsibilities in the event of a cyberattack.
For cybersecurity training to be effective, it must involve everyone in the organization, from the bottom to the top. By leading by example, C-suite executives can foster a culture of cybersecurity awareness and preparedness, ensuring that in times of crisis, the organization operates as a well-oiled machine, ready to respond effectively and efficiently.
We’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at firstname.lastname@example.org or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity.
Half of Execs Request Security Bypass Over Past Year – InfoSecurity Magazine
How to make your security training fun? Think like a deviant – The Next Web
The 5 Cornerstones for an Effective Cyber Security Awareness Training – The Hacker News
#RSAC: Characterless Security Training Fails to Change User Behavior – InfoSecurity Magazine
Are We Ready to Give Up on Security Awareness Training? – The Hacker News
Fifth of Government Workers Don’t Care if Employer is Hacked – InfoSecurity Magazine
to make cybersecurity understandable, digestable, and guide you through being able to understand what you and your business need to focus on in order to get the most benefit for your cybersecurity spend.
©2024 Fearless Paranoia