In-depth

Four tips for implementing effective cyber security awareness training

Employees can be your strongest line of defence, but only if you take the time to build the right culture

Drawing of a cloud with a padlock in the middle on a green background

Security threats are constantly evolving and multiplying to target valuable resources. A small business is successfully hacked every 19 seconds in the UK and a recent report estimates that the average cost of a data breach in 2020 is $3.86 billion, or about £2.96 billion.

Securing your business is difficult enough in normal circumstances, but with about half of employed adults currently working from home and accessing company resources through personal devices and networks, the risks are only increasing. 

As a CISO or someone responsible for cyber security spending, you may be tempted to seek out the latest security technologies tailored to each new type of attack. However, this avenue is costly and runs the risk of over-complicating and slowing down your processes. It’s also not the most effective approach.

It’s often reported that employees are the biggest security risk for most businesses. When employees aren’t aware of security hygiene best practices, they’re likely to do things like create weak passwords, reuse or share those passwords, or click on phishing emails. According to Verizon’s Data Breach Investigation Report, phishing and stolen credentials are the top two methods behind a data breach. 

However, it's possible that, given the right awareness training, your employees can in fact become one of your strongest lines of defence. Here are four tips for implementing security awareness and training programmes that can get you real results.

1. Train your teams for their specific security risks 

Take into account the specific risks your business faces. Phishing is the most common attack and will probably apply to every department of every business, but how exposed specific employees will be will depend on the nature of their role.

One popular technique is to conduct internal phishing tests – not to catch your employees out, but to see which departments are clicking on them and what types of messages are getting through.

Beyond phishing, programmes need to be tailored to the other specific threats of each business and department. A marketing assistant and a financial analyst won’t need to be aware of the same threats as an IT consultant. By defining what threats your specific departments are facing, you can eliminate the risk of overloading or boring your staff with training that isn’t relevant to them.

2. Use simulations to make awareness training engaging

Not only are in-person workshop-style programmes unviable in the current climate, but they are often dry and don’t encourage employees to remember or engage with the content. There are other methods you can use, such as LinkedIn-Learning style videos with quiz questions, but what you really need is an engaging programme that sticks in your employees’ minds and gets them excited about security.

Related Resource

Employees behaving badly?

Why awareness training matters

Why awareness training matters - whitepaper from MimecastDownload now

Trial and error has proved that simulation is the best way to teach security awareness. Have your employees undergo simulated attacks tailored to their job and the newest types of threats. For example, some companies run simulations that test the flexibility of their HR teams, seeing if they’re able to cope with a flurry of internal and external complaints about loss of data and downtime. However, these simulations will notably differ from those run with IT teams, which would normally test their ability to get systems back online after an outage

Whether they successfully prevent the attack or not, have them share their experiences afterwards. This will highlight gaps in the company and help inform awareness programmes going forward. 

IBM recently toured the UK in order to provide businesses with a better idea of what's effective and introduce them to the latest cyber security simulations.

3. Create cohesive communication and planning

Once you’ve developed an engaging new programme, you need to ensure that it’s deployed in every department and updated often. Create a formal plan with your IT team for updating the training, as well as a plan for communicating new information to the entire business. The best programme in the world won’t have the desired effect if it isn’t applied everywhere and addressing the latest threats.

4. Involve your staff in their own security training

Don’t make security only something that you teach your employees. Let them also teach each other.

Appoint someone in each department to be the cyber security culture advocate. These experts know their team better than anyone, and can keep them motivated in the business’ security efforts and help to reinforce any training they receive.

Reward the employees that fend off attacks, encourage people to share success stories, and work with those that fall prey to attacks, rather than shaming them.

With these four tips, you can shift the focus of your entire security effort from security technologies to people. Security becomes personal, with your employees’ increasing investment in cyber security only increasing their investment in the company itself.

Now, just make sure to instil security values and training in the onboarding processes of future employees, and you’re well on your way to a solid security culture with people empowered to help protect your company’s valuable assets.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

16 Apr 2021
US, UK say Russia was behind SolarWinds hack
cyber attacks

US, UK say Russia was behind SolarWinds hack

16 Apr 2021
1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021
PowerShell threats increased over 200% last year
cyber security

PowerShell threats increased over 200% last year

14 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Roadmap 2021: What’s coming from 3CX
Advertisement Feature

Roadmap 2021: What’s coming from 3CX

30 Mar 2021