There are members of the cybersecurity profession who say that Cybersecurity Awareness Training is a waste of time and money, because the average computer user just doesn’t care or can’t retain technical information. To them, I repeat a quote from Eppie Lederer aka Ann Landers – “If you think education is expensive – try ignorance.” I firmly believe that one of the best returns on investment in the cybersecurity realm is Cybersecurity Awareness Training for your employees.
You and your employees are targets of cyber-criminals. Me, too for that matter. The only way to protect yourself from these modern-day con-artists is to learn about the methods they employ to trick and persuade you, your staff and co-workers, friends and family members to do something that will ultimately be harmful.
The problems with cybersecurity training are plentiful. The first is frequency; often these events are held only annually or sometimes quarterly. Often they are run only fulfill a regulatory requirement (PCI, HIPAA, or GLBA.) Often these sessions are presented by the head of the IT department, or another member of the IT staff. These people may not have the best public speaking skills. They might be boring. Often the content is relegated to a bunch of dry, boring statistics, difficult technical topics, or simple-minded slogan like “don’t click the link.” The audience is not truly engaged in a way that would be interesting, or dare I say , even entertaining. This sort of exercise is a waste of time.
A successful CAT program must be interesting, entertaining, and meaningful to the audience on a personal level both for their workplace online life and their home life. The goal should be to help the audience understand the importance of vigilance, and teach them how to recognize when they are being set-up for exploitation. A successful CAT program should increase cyber-awareness and actually change behaviors of your user community. Here are some ideas for creating a CAT program that really produces results:
- Make it fun – Structuring cybersecurity training so it works like a game can help people get and stay engaged. Give out points, prizes, and awards. As part of the game, keep score and post it prominently. Whatever you do, remember to keep it fun.
- Bring in professional training talent – Find an outside trainer to provide a live session at least once a year. There is power in hiring “the outside expert.” Audition them for both content and delivery. You want someone with a good sense of humor who can keep it fun. Play a game such as security bingo to keep it interactive. Make this your big annual security event. Cater lunch for the staff. Hold an awards event.
- Recognize and reward secure behavior – Get a stack of $5 coffee shop or fast food gift cards. Give them away when members of your staff catch and report a phishing email or flag an incipient computer security incident. Or develop a point system with larger quarterly prizes. Add a recognition event to your next training or employee meeting, and hand out plaques or certificates to top security performers.
- Identify your cyber-stars – Some of your employees will be attracted to cybersecurity, and become internal alert systems or advocates. Identify and cultivate these players. Maybe you can create your own home-grown security team!
- Increase frequency – Once a year is not enough. Quarterly is good. Monthly would be better yet. Or best, keep it on-going with programs that include random phishing testing and quick lunch and learn events. Develop an in-house weekly security newsletter to keep the staff informed about the latest exploits you are seeing on your own network. You can easily share content from blogs like this one.
- Automate – We are technologists after all. You can subscribe to automated programs that provide phishing and other exploit simulations coupled with short online training sessions. A program such as this can be running continuously in the background on your network. This will tend to keep your team alert for actual exploits.
- Give it a purpose – Many times people think that they or their company may be too small to be an interesting target for cyber-criminals. The truth is quite the opposite. Your company has information, equipment, financial, and other assets that can be compromised, hijacked, stolen, held for ransom, or sold on the Dark Web. Make sure your training focuses on the cyber-criminal end-game and explains the monetary value of stolen information, and the importance of data security.
- Audit and analyze – Put some metrics around your program. The automated content should have performance metrics built in. Documenting improvement is important to show the value of your CAT program to business owners or managers. Identifying employees who are failing to learn allows you to focus on the weakest links in your organization, or identify a potential insider threat.
Hopefully we have given you some ideas to take to your management the next time you are discussing adding cyber awareness training to your security operations. Just remember to keep it fun and entertaining.