Part 4 of 6: This blog series details 5 practical steps for creating a culture of cybersecurity in the workplace.
If asked to describe your cybersecurity awareness training program, what would you say? What does your training consist of? How often does training occur? Are employees engaged in the training? How often do you update the content? Do you follow up on what was taught after the training concludes?
If you were asked to answer any of these questions, you may quickly realize that your cybersecurity awareness training is inadequate. Worse yet, you may recognize that your training plans are a massive waste of time and resources.
If you’ve followed our process for creating a culture of security, we’ve laid the groundwork for developing a comprehensive training plan, by first assessing the current security posture, then creating buy-in amongst all employees. The assessment has revealed key strengths and weaknesses in your current cybersecurity environment to help guide your awareness training program. Creating buy-in will make implementing this training less of a struggle. It’s vital that these steps are followed sequentially to successfully develop a culture of security in your organization.
An effective cybersecurity awareness plan is the foundation of a security culture. Without proper training every other step is inherently useless. To institute an effective awareness training plan, the information provided needs to be:
- Manageable: Rather than cram all of the information into a full-day seminar, break it down into more reasonable time-spans with opportunities for information processing and practice.
- Timely: From on-boarding to off-boarding, and every step in between, employees need to be up to date on the latest threats.
- Practical: Speak to employees on their level; don’t use technical jargon that will go over their heads. Provide real-life uses for every topic covered.
- Engaging: Using the same tired, outdated powerpoint is not only boring, but also ineffective. Provide opportunities for employees to get involved and provide feedback.
Combining these four elements often requires a complete overhaul of any current training process, but when it comes to protecting classified company data, the final outcome is worth the effort. These tips will ensure your training program meets all of the above requirements, and turn staff members into a first line of defense for protecting information.
Understand and communicate your objectives.
Knowing the objectives of your training plan will keep it focused and easy to communicate. According to the National Institute of Standards and Technology (NIST), the objectives of all cybersecurity training are:
- Communicate risks and vulnerabilities facing the business environment
- Communicate company objectives regarding security and enterprise risk
- Communicate company policies & procedures regarding security and enterprise risk
- Communicate organization roles and responsibilities
- Invite audience input, feedback, and ideas
- Provide resources and tools for deeper knowledge
- Provide a mechanism for ongoing communication on issues related to risks and vulnerabilities
Use these guidelines to develop a comprehensive training approach that addresses each objective.
Make training an ongoing effort.
Security awareness training doesn’t start and end with on-boarding. It isn’t a yearly review of policies, and it shouldn’t be done in response to an attack that has already occurred. Working with the HR department, a cybersecurity on-boarding program should be developed for new employees. This is the time to set the expectations; it is easier to teach healthy security habits than to correct them down the line.
From there, training updates should occur on a regular basis that goes far beyond a yearly review. As new threats emerge, employees should be trained to detect them right away. Develop monthly awareness campaign updates, self-guided training refresher courses, or hands-on threat detection exercises. Not all training needs to take up an entire afternoon with all employees in attendance.
Make it engaging.
Cybersecurity threats are ever evolving. Yet, many organizations use the same slide presentation they’ve used year over year for the past decade. Now imagine you are an employee that’s been with the same organization since that presentation was developed - what’s the likelihood you’re paying attention? Slim, to none.
While keeping information up to date is crucial, the typical lecture/slideshow approach is probably not the most effective strategy. Training needs to be interesting and engaging to capture attention and set the tone for what occurs after the session concludes. Here are a few techniques:
- Invite an outside firm to conduct your training. Not only are they pros at this, but just the sight of an unfamiliar face with spark interest in employees.
- Create competitions between departments, management levels, etc.
- Utilize hands-on training methods to make the topics realistic and break up the information dissemination.
- Make information even more relevant by relating it to employee’s lives outside of work so that it’s not just seen as a ‘work thing’.
If your employees are not learning and retaining the information being communicated, then your training is just a waste of time. Engage your employees, and not only will the time spent be worthwhile, but you will see your training efforts pay dividends in the future.
Keep it real. Keep it focused.
The latest multi-million dollar cyber attack is an interesting anecdote to listen to, but most employees won’t relate it to their everyday routine. Breakout sessions for different departments, information access levels, or job roles can allow you to take an overarching message of cybersecurity and break that down into relatable examples for each necessary niche.
For example, the NIST suggests creating training programs for the following three levels:
- Basic: Target Audience – Everyone. Featuring everyday security issues and visible risks.
- Intermediate: Target Audience – Management, Developers, Tech Savvy Users. Featuring hidden risks, consideration of security in business processes, and compliance and audits.
- Advanced: Target Audience – System Administrators,Technical Personnel. Featuring potential vulnerabilities, threats, and risks in computing systems, security policy settings, etc.
Cybersecurity training should not be seen as another checkmark on a list of to-do’s for management, or a meaningless activity that employees dread. When effective training is seen as a crucial step in creating a culture of security, the results will be tangible and long-lasting.