Written By Charles Leaver Ziften CEO
Effective corporate cybersecurity assumes that people – your staff members – do the best thing. That they do not turn over their passwords to a caller who claims to be from the IT department doing a “qualifications audit.” That they do not wire $10 million to an Indonesian checking account after getting a midnight demand from “the CEO”.
That they do not set up an “immediate upgrade” to Flash Player based upon a pop-up on a porn website. That they do not overshare on social networks. That they do not save business details on file sharing services outside the firewall. That they don’t link to unsecure WiFi networks. And they don’t click on links in phishing e-mails.
Our research study reveals that 75+% of security incidents are triggered or helped by staff member errors.
Sure, you’ve installed endpoint security, email filters, and anti-malware solutions. Those precautions will probably be for nothing, however, if your employees do the wrong thing time and again when in a hazardous scenario. Our cybersecurity efforts are like having an elegant automobile alarm: If you don’t teach your teenager to lock the vehicle when it’s at the mall, the alarm is worthless.
Security awareness isn’t enough, of course. Employees will make errors, and there are some attacks that do not need a worker bad move. That’s why you need endpoint security, email filters, anti-malware, and so on. But let’s speak about reliable security awareness training.
Why Training Frequently Fails to Have an Effect
Initially – in my experience, a lot of staff member training, well, is poor. That’s particularly true of online training, which is usually dreadful. However for the most parts, whether live or canned, the training does not have credibility, in part due to the fact that lots of IT experts are poor and unconvincing communicators. The training often focuses on communicating and implementing rules – not altering dangerous behavior and habits. And it’s like getting mandatory copy machine training: There’s nothing in it for the staff members, so they don’t accept it.
It’s not about implementing rules. While security awareness training might be “owned” by various departments, such as IT, CISO, or HR, there’s often an absence of knowledge about what a safe awareness program is. First of all, it’s not a checkbox; it needs to be ongoing. The training should be delivered in different ways and times, with a mix of live training, newsletters, small-group conversations, lunch-and-learns, and yes, even online resources.
Safeguarding yourself is not complicated!
But a big problem is the absence of objectives. If you do not know exactly what you’re attempting to do, you cannot see if you have actually done an excellent job in the training – and if dangerous habits in fact alter.
Here are some sample goals that can result in effective security awareness training:
Offer staff members with the tools to acknowledge and handle ongoing day-to-day security dangers they may receive online and via e-mail.
Let workers understand they belong to the group, and they can’t just rely on the IT/CISO teams to deal with security.
Halt the cycle of “unintended ignorance” about safe computing practices.
Modify state of minds toward more safe practices: “If you observe something, say something”.
Review of company guidelines and procedures, which are described in actionable terms which relate to them.
Make it Appropriate
No matter who “owns” the program, it’s important that there is visible executive backiong and management buy-in. If the officers don’t care, the staff members will not either. Effective training won’t talk about tech buzzwords; rather, it will concentrate on changing behaviors. Relate cybersecurity awareness to your staff members’ individual life. (And while you’re at it, teach them the best ways to keep themselves, their family, and their house safe. Odds are they don’t know and hesitate to ask).
To make security awareness training truly relevant, obtain employee ideas and motivate feedback. Step success – such as, did the variety of external links clicked by workers decrease? How about calls to tech assistance originating from security violations? Make the training prompt and real-world by consisting of recent rip-offs in the news; unfortunately, there are so many to select from.
In other words: Security awareness training isn’t fun, and it’s not a silver bullet. However, it is important for guaranteeing that risky staff member habits do not weaken your IT/CISO efforts to protect your network, devices, applications, and data. Make certain that you continually train your employees, and that the training works.