Cyber Security awareness training is a type of staff training. It is designed to give people in a business the information they need to protect themselves and the organisation from loss or harm due to a cyber attack.
Organisations who need to comply with industry regulations or frameworks such as PCI (Payment Card Initiative) or ISO will usually deliver security awareness training to their employees once or twice a year. However, all Small and Medium sized businesses would benefit from training their employees. Cyber crime is on the increase and a cyber attack can be devastating to a business.
Cyber security awareness training is not the type of training that can be delivered once and then forgotten about. It requires constant reinforcement, updating and testing of understanding. This can make it a challenge for businesses to plan and deliver.
Why Cyber Security Awareness Training?
Your people are your first line of defence against any cyber crime. Unfortunately they are also often your weakest link.
Firstly staff need to be made aware that bad guys are trying to trick them. You can then move on to training people how to spot possible attacks and take appropriate action.
Cybercrime is moving at light speed. A few years ago, cybercriminals used to specialise in identity theft, but now they take over your organisation’s network, hack into your bank accounts, and steal tens or hundreds of thousands of pounds. Organisations of every size and type are at risk.
How do you prevent being the next cyber-heist victim? You really need what we call a strong human firewall as your first and last line of defence.
How To Run A Successful Cyber Security Awareness Training Program
Critical components of a cyber security awareness program:
- Content – Content is king! We all prefer different types and styles of content, don’t approach content as one size fits all. Match different content types to different roles.
- Executive Support & Planning – Materials that help you prove the value of the program to your executive team, and also to show auditors/regulators that you are doing the right thing.
- Campaign Support Materials – A successful program shouldn’t be ‘one and done’, treat it as a marketing endeavour. Once-a-year, ‘check the box’ training will not work toward changing user behaviour. Continuously presenting the information in different ways, when it coincides with the context of their life, is what will influence their decisions and make it EASIER for users to make smarter choices.
- Testing – You can reinforce training by getting people to apply it in a simulated situation. Phishing simulations prompt users to either click a link, report the phish, or do nothing. You want to give them an opportunity to report phishing attempts and help you increase resilience. If they do fall for the phish, you want the ability to do training then and there. Doing nothing isn’t ideal as it leaves the potential threat out there and there’s an opportunity for others to click.
- Metrics & Reporting – You need to be able to show you are closing security gaps. Reporting is also useful for optimising campaigns based on past results. You want to be able to see what is working well and what can be improved upon.
- Surveys/Assessments – These types of tools can help you understand the attitudes of your organization and how well your program is resonating with your people so you can adapt. Think of it as a pulse check of subtle nuances that are different than metrics/reporting such as opinions, frame of mind, etc.
Program Development
Learning doesn’t just happen at one point in time, we need to think about the entire context of user experience. Consider this 70:20:10 model for learning and development:
- 10% Formal – Structured learning, training days, etc. This is about the maximum amount of time you can allot per user for formal training. You need to be thinking about ways to address the other 90% of someone’s experience.
- 20% Informal – This would include asking others, collaborating, webinars, watching videos, reading, etc. Think about how to build an informal community for users to know where to go to get the information they need when they are actually seeking it out.
- 70% Experiencial – On-the-job, social, in the workflow, corporate and departmental culture. From a security aspect, if we are ignoring that 70% social/cultural component, we’re putting ourselves at a disadvantage. Think about ways to address that entire 100%.
The Four Stages of Competence
- Lack of Awareness – Unconscious Incompetence or “I don’t know that I don’t know something.” They are blissfully unaware and their behaviour will reflect that.
- Awareness – Conscious Incompetence or “I know that I don’t know something.” They now realize they don’t have all the knowledge and tools they need. We can hope that will move them to the next stage.
- Step-by-step – Conscious Competence or “I know something, but I have to think about it as I do it.” They either need to access stored information or really intentionally weigh all the options then come to the right conclusion.
- Skilled Stage – Unconscious Competence or “I know something so well that I don’t have to think about it.” This is where most of us are with pattern-based behaviours like driving, brushing our teeth, etc. At some point these things were difficult, and we can actually build up to this stage.
The problem is that traditional programs fail by leaving users to linger in stages 1 and 2. Design your program to push them all the way through to stage 4. Getting users to stage 4 with constant training and simulation is ideal and cultivates the kind of behavior that can protect you from a breach.
Plan like a Marketer. Test like an Attacker.
Plan a multi channel campaign. Different types of content, at different times, targeting different audiences going through different channels. This gives a constant flow of information. It also means information arrives at different times and on different contexts. It feels more real and less simulated. This is especially important with simulations and tests.
This approach builds reflexes and muscle memory for your people, which is where the testing component comes in. No matter which tool you use, even if you are using a homegrown program, you need to send a social engineering test like a phishing test to users at least every 30 days.
By doing both training and testing, you are running a hearts and minds campaigns like a marketer would. Over a period of time through different channels/mediums you can start building influence in the mind. Supplementing that with frequent phishing attacks you are building the muscle memory on top of that so users naturally react in the right way. That’s the key to building resilience.
How We Can Help
Designing your own cyber security awareness training program is time consuming and there are a lot of elements to bring together. We can provide a complete cyber security training solution, that incorporates phishing simulation (the test element) and will get your staff up to speed in no time. If you’d like to find out more about cyber security awareness training, or any other element of cyber security please do not hesitate to contact us.
lease feel free to call us on 0115 8220200, if you’d rather we call you then complete our Contact Form, or book a time to chat in our calendar. There is no obligation to move beyond an initial call, and no obligation to buy anything, ever.