Without a trained workforce, your organization’s cybersecurity strategy is incomplete. An estimated 91% of attacks targeting businesses begin with an email received by an employee. The mishandling of a single malicious message resulting in installation of ransomware could lead to hundreds of thousands of dollars in damages as well as a loss of customer trust – an impact so significant that the targeted business may be unable to recover. This is but one example of why an effective cybersecurity training program is essential. But how can you effectively engage your workforce and ensure that they receive and retain the information they need to recognize and properly respond to potential threats? Some methods work better than others.
First, get management involved
It’s going to be difficult to develop a company-wide training program without management support, thus it may be necessary to first educate the managers. Data regarding the financial impact of cyber attacks and the year-to-year increase thereof is readily available with minimal research required. You may need to put together a presentation with statistics relating to the consequences of these attacks. Including information about how companies like yours have been negatively impacted could be most helpful. Once management is aware of the need, they should be supportive of your ongoing efforts.
Assess your current program’s status
Do you already have a training program in place? If so, talk with those involved in putting the program and coursework together. Speak to the trainers. Randomly select a cross-section of employees and get their input regarding the effectiveness and shortcomings of the current program. Putting together a survey that guarantees the anonymity of those who respond could generate valuable feedback.
Review the results of your research. What is working and what isn’t? Which training delivery methods produce the best results? Are employees retaining the information provided?
Take a look at your organization’s overall attack surface. Are there any weaknesses or risks that are not sufficiently mitigated by technical controls? If so, might they be addressed through user training? These could include physical security issues (think access to restricted areas), locking screens when leaving workstations to protect confidential information, data storage practices, etc.
Once you’ve determined what works best in your existing program and identified its shortcomings, you’ll know what to keep, what to replace, what to dump, and what to add.
Require active participation and go covert
Sending out a security newsletter and trusting that employees will read it, or having them watch a training video with a short quiz at the end, probably won’t produce the best possible results. Requiring them to participate in training like tabletop exercises will ensure that they are actively engaged. If there is anything they don’t understand or that they wish to discuss further, they have the ability to speak up. Comprehension and retention are thereby improved.
Adding some stress to the training mix can yield even better results. Simulation injects stress if employees can’t tell whether or not a potential attack is real. Phishing simulation applications allow you to send fake messages that look like those currently being distributed by cybercriminals. Recipients have no way of knowing whether or not they are the real thing. Many of these applications allow you to track the recipient’s response. Did they open the email, click a link, or download an attachment? If so, is additional training needed? Some phishing simulation applications include the capability to measure the overall progress of the user community with regard to how they handle potentially malicious emails and how effective the training is over time.
If your company uses Microsoft 365 or Microsoft Defender 365, some versions now include phishing simulation functionality. You can read more about it here:
If you have some budding actors on staff, you may wish to enlist their help in making some phone calls, perhaps posing as the help desk, to try and convince employees to provide login credentials or other sensitive information. You might also try some tailgating to find out whether it’s possible for an employee without access to restricted areas to gain entry by following others inside. Employees should challenge these individuals to determine whether they are authorized to enter these areas, and if not, know where to direct them to go for assistance.
Be creative in your simulations and keep your coworkers on their toes. They may find it annoying, but they’ll remember the experiences when the real thing occurs.
Give them real-life examples
People remember things that shock them. They also retain information they can use outside of work because it benefits them personally. Try including some cyber attack horror stories in your training material. They don’t necessarily need to be business related. For example, true stories about people who have suffered greatly as a result of sharing too much on social media sites will raise the level of awareness with regard to oversharing, both at home and at work.
Consider a LMS or third-party training provider
If you lack sufficient resources to spend the time required for development of an effective training program, consider installing a Learning Management System (LMS) application. A LMS automates much of the process of developing and deploying training materials and coursework. These applications also offer detailed reporting capabilities useful in tracking training and user progress as well as evaluating overall program effectiveness. If your organization is subject to regulatory requirements relating to training, a LMS can also provide evidence of compliance through its reporting functionality.
If a LMS application doesn’t meet your needs, there are a number of third-party training providers available. Some have the ability to integrate their programs with your Active Directory and provide auto-enrollment capabilities as well as training reports.
Update materials and train continuously
Threats continuously evolve. Your training program must be regularly updated with new threat information to keep it current. Avoid getting stuck in a routine. In order for your program to be effective, it can’t be restricted to a set schedule. When new threats emerge or your environment’s threat surface changes, use your training resources to relay information to the user community as needed.
Develop a reporting process
If you don’t have one already, your training program should include a reporting process. Once your users know what to look for, they need a procedure by which to let the right person or department know when they observe a potential threat. Employees should, for example, be taught how to send suspicious emails to the individual or department responsible for reviewing them and to preserve the header information when doing so. They should be provided with a process to confidentially report disgruntled employees with the potential to perpetrate insider attacks. They should know who to contact if they receive a suspicious phone call. Depending on your environment, the reporting process could be fairly straightforward or more complex.
As cybercriminals work incessantly to find new ways to take advantage of the human factor and the costs resulting from successful attacks continue to increase, the need to train employees to protect themselves and their employers becomes even more critical. Incorporating more creative and effective methods for training delivery increases participation and improves retention. Continuous evaluation and updating of the program is necessary to keep up with the changing threat environment. If you are finding it difficult to develop and maintain your program, consider using a LMS and some of the tools now available for conducting automated simulations. Alternatively, you may wish to consider partnering with a third-party training provider.