The recent data breach, in which a hacker stole 427 million My Space passwords and tried to sell them for $2,800, highlights how vulnerable organizations are to data breaches and other cybercrimes. According to a study by IBM, almost 95 percent of all security incidents surveyed were because of human error. It means, the breaches occurred because employees did what they did out of sheer ignorance and without any malicious intentions. Yet, not many organizations give training employees on information security a serious thought. A Cisco study cites that close to 43 percent of the IT professionals surveyed admitted that employee education on cyber security was not good enough.
So, the key point to be noted here is that while organizations invest huge amount of money on setting up IT security systems, they don’t seem to be doing enough to train their employees on handling these systems securely.
How can employees be trained on cyber security?
Create awareness through one-way communication
No matter what you want your employees to be trained on, the first step toward it is creating awareness. Unless they know what and why they are going to be trained on, they may not be keen to take the training. Hence, you can use executive speeches, e-mails, posters, wallet cards, tent cards, etc. to sensitize them about cyber security.
You also need to ensure that cyber security training targets the entire hierarchy of the organization, right from top management to bottom level employees. According to Safehackuk.com, top managers are frequently targeted due to their access to sensitive information. They are also targeted since hackers consider them a source of high monetary payoffs. Hence, training should be mandatory to employees across all levels.
Help employees identify cyber threats through incidents and scenarios
- You should clearly communicate to your employees the impact a cyber-crime may have on your operations, reputation, and how their cooperation can drive away such threats. For that, you may share cyber breach incidents, so that they understand the significance of being compliant with the security standards. For example, you can tell them how hackers accessed Citigroup’s website by exploiting a vulnerable Internet browser. It resulted in tens of thousands of accounts being breached. In another case of cyber breach, hackers accessed a technology company’s website that was poorly protected. That led to delayed business operations as it took nearly a month for the company to get back to normal business not to mention the time it took to recover the lost confidence of customers. Such incidents act as eye-openers and help pinpoint why cyber security should be given special attention.
- You can also train your employees on detecting cyber threats through scenarios. These scenarios will help them identify potential red flag situations and deal with them appropriately in a safe environment. For example consider this scenario, an employee of an insurance company attends a conference on behalf of her company and realizes her laptop is stolen. She assumes since the laptop is password protected, the critical information stored in it will be safe and does not report the theft. You can ask your employees whether the employee in question was correct in not highlighting the incident and to justify their choice. The purpose of scenarios is to help them identify the dos and don’ts of cyber security best practices.
Switch to computer-based training for reinforcement
Though you’ve trained your employees on cyber security, how do you ensure that they remember all the different measures they need to take to ensure cyber security? For instance, they need to-set strong passwords, identify suspicious emails, not open attachments from unknown sources, etc. It may not be effective to give employees a long list of precautions they need to take. For instance, if they receive a suspicious email and need help identifying if it is a phishing email, what can they do? They need quick access to reference material. Each issue can be shared as a short video or learning module, which engages learners, increases retention and applicability. This also eases your employees’ burden by letting them access learning content based on their current need.
Test employees periodically using gamified assessments and scenarios
You can assess your employees’ knowledge on cyber security periodically through gamified assessments. Linking assessments with games to make them fun, engaging and effective is the goal of gamified assessments. These assessments increase learners’ attention, provide interactive experiences, and improve knowledge retention. For example, let’s say, an employee, in a rush to attend an emergency call, leaves his desktop unlocked and returns after an hour. You can ask your employees whether the employee in the question did the right thing or not. If they opt for the right option, they score a goal or win a point that takes them further in the game.
One of our clients required us to create an online training module on Information system and security awareness. After explaining the concept and importance of Information system and security awareness, we incorporated certain scenarios related to desktop security, Internet usage and policy, social engineering, password construction and policy, etc. to assess learners’ understanding.
Having measures to safeguard your cyber security doesn’t ensure you are safe from hackers’ traps as they –benefit from employee negligence. Providing effective training that changes employee behavior from negligent to responsible is key to preventing cyber-attacks. Considering the importance cyber security has in the current scenario, you need to create awareness across your organization and train employees at all levels so that they act as shields against cyber-crimes.
What types of training do you deliver on cyber security? Tell us in the comments.