Research shows that over 90% of network breaches happen when an employee falls prey to a phishing email, clicking on the offered link or opening a file attachment, becoming infected with a remote access Trojan, and creating an entry point for the attacker. If only we could get people to stop falling for phishing emails!
This is really not such a hard thing to do. Most people would willing avoid being the goat in this scenario, if only they knew what to look for. What your company needs is a cybersecurity awareness training program.
A quick confession: I have been teaching these classes to individuals and business people since 2002, so I obviously am biased in favor of cybersecurity awareness training, and I am in favor of hiring an experienced professional cybersecurity trainer. The reason is that a good training experience will make or break this program. Getting Ned from IT to put together a slide deck and stumble through an unfocused presentation filled with technical jargon is not going to engage your employees and get them involved in cybersecurity. Ned may secretly think his coworkers are all clueless nitwits. This will show in his delivery. You need a pro who can deliver an exciting, engaging, and informative session that creates some excitement and enthusiasm for your cybersecurity program.
So what should your training program include?
- Regular schedule. Whether annually, quarterly, or monthly, your trainer should return periodically to review the usual topics as well as bring information about new exploits and risks. New employees should be trained when hired as part of their orientation or on-boarding process.
- Fun. This is computer training after all, and can be more boring than economics. If this is going to work you have to include some fun elements. Make it more of a party atmosphere if possible. Add some interactivity so the staff is actively involved, not just sitting through a lecture.
- Attention-grabbing. Tell some horror stories. There are plenty of examples of exploits against companies like yours to drive the reality home. Provide examples that illustrate your point. Use music and video for parts of your presentation.
- Inclusive. This training is for everyone, even the big guy or gal in charge. If you do not lead your team by example and show up for the training yourself, how can you expect them to take it seriously? Anyway, many exploits are targeted specifically a C-level executives now, so if this is you, you need to learn what is happening yourself.
- Informative. You of course have to cover the basics, such as phishing, malicious websites, physical safety and security, data and identity theft, and password policy. There may be compliance issues that pertain to your business, get your training to cover those issues as well.
- Relevant. Relate the material to your company or organization, show your employees how cybersecurity incidents can negatively impact not just the company, their job or continued employment, but their own and their families’ lives as well. Everyone with a computer is a potential victim in the free-for-all that we are in today. We all need to learn how to protect ourselves from these attacks.
Ready to start your own cybersecurity awareness program? This is a topic I am passionate about, so if you need help finds resources in your area, let me know, and I will do my best to help you gt started. Or use Google, or ask your peers at other companies how they are providing this sort of training. But do something. This is a low-cost project that can have a big financial return.Share
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com