In-depth

Four tips for implementing effective cyber security awareness training

Employees can be your strongest line of defence, but only if you take the time to build the right culture

Drawing of a cloud with a padlock in the middle on a green background

Security threats are constantly evolving and multiplying to target valuable resources. A small business is successfully hacked every 19 seconds in the UK and a recent report estimates that the average cost of a data breach in 2020 is $3.86 billion, or about £2.96 billion.

Securing your business is difficult enough in normal circumstances, but with about half of employed adults currently working from home and accessing company resources through personal devices and networks, the risks are only increasing. 

As a CISO or someone responsible for cyber security spending, you may be tempted to seek out the latest security technologies tailored to each new type of attack. However, this avenue is costly and runs the risk of over-complicating and slowing down your processes. It’s also not the most effective approach.

It’s often reported that employees are the biggest security risk for most businesses. When employees aren’t aware of security hygiene best practices, they’re likely to do things like create weak passwords, reuse or share those passwords, or click on phishing emails. According to Verizon’s Data Breach Investigation Report, phishing and stolen credentials are the top two methods behind a data breach. 

However, it's possible that, given the right awareness training, your employees can in fact become one of your strongest lines of defence. Here are four tips for implementing security awareness and training programmes that can get you real results.

1. Train your teams for their specific security risks 

Take into account the specific risks your business faces. Phishing is the most common attack and will probably apply to every department of every business, but how exposed specific employees will be will depend on the nature of their role.

One popular technique is to conduct internal phishing tests – not to catch your employees out, but to see which departments are clicking on them and what types of messages are getting through.

Beyond phishing, programmes need to be tailored to the other specific threats of each business and department. A marketing assistant and a financial analyst won’t need to be aware of the same threats as an IT consultant. By defining what threats your specific departments are facing, you can eliminate the risk of overloading or boring your staff with training that isn’t relevant to them.

2. Use simulations to make awareness training engaging

Not only are in-person workshop-style programmes unviable in the current climate, but they are often dry and don’t encourage employees to remember or engage with the content. There are other methods you can use, such as LinkedIn-Learning style videos with quiz questions, but what you really need is an engaging programme that sticks in your employees’ minds and gets them excited about security.

Related Resource

Employees behaving badly

Why awareness training matters

Download now

Trial and error has proved that simulation is the best way to teach security awareness. Have your employees undergo simulated attacks tailored to their job and the newest types of threats. For example, some companies run simulations that test the flexibility of their HR teams, seeing if they’re able to cope with a flurry of internal and external complaints about loss of data and downtime. However, these simulations will notably differ from those run with IT teams, which would normally test their ability to get systems back online after an outage

Whether they successfully prevent the attack or not, have them share their experiences afterwards. This will highlight gaps in the company and help inform awareness programmes going forward. 

IBM recently toured the UK in order to provide businesses with a better idea of what's effective and introduce them to the latest cyber security simulations.

3. Create cohesive communication and planning

Once you’ve developed an engaging new programme, you need to ensure that it’s deployed in every department and updated often. Create a formal plan with your IT team for updating the training, as well as a plan for communicating new information to the entire business. The best programme in the world won’t have the desired effect if it isn’t applied everywhere and addressing the latest threats.

4. Involve your staff in their own security training

Don’t make security only something that you teach your employees. Let them also teach each other.

Appoint someone in each department to be the cyber security culture advocate. These experts know their team better than anyone, and can keep them motivated in the business’ security efforts and help to reinforce any training they receive.

Reward the employees that fend off attacks, encourage people to share success stories, and work with those that fall prey to attacks, rather than shaming them.

With these four tips, you can shift the focus of your entire security effort from security technologies to people. Security becomes personal, with your employees’ increasing investment in cyber security only increasing their investment in the company itself.

Now, just make sure to instil security values and training in the onboarding processes of future employees, and you’re well on your way to a solid security culture with people empowered to help protect your company’s valuable assets.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Microsoft spearheads industry-wide charter against AI cyber attacks
Security

Microsoft spearheads industry-wide charter against AI cyber attacks

23 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
CMS platforms succumb to KashmirBlack botnet as businesses rush online
Security

CMS platforms succumb to KashmirBlack botnet as businesses rush online

22 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
How to wipe a laptop easily and securely
Security

How to wipe a laptop easily and securely

5 Oct 2020