In-depth

Four tips for implementing effective cyber security awareness training

Employees can be your strongest line of defence, but only if you take the time to build the right culture

Drawing of a cloud with a padlock in the middle on a green background

Security threats are constantly evolving and multiplying to target valuable resources. A small business is successfully hacked every 19 seconds in the UK and a recent report estimates that the average cost of a data breach in 2020 is $3.86 billion, or about £2.96 billion.

Securing your business is difficult enough in normal circumstances, but with about half of employed adults currently working from home and accessing company resources through personal devices and networks, the risks are only increasing. 

As a CISO or someone responsible for cyber security spending, you may be tempted to seek out the latest security technologies tailored to each new type of attack. However, this avenue is costly and runs the risk of over-complicating and slowing down your processes. It’s also not the most effective approach.

It’s often reported that employees are the biggest security risk for most businesses. When employees aren’t aware of security hygiene best practices, they’re likely to do things like create weak passwords, reuse or share those passwords, or click on phishing emails. According to Verizon’s Data Breach Investigation Report, phishing and stolen credentials are the top two methods behind a data breach. 

However, it's possible that, given the right awareness training, your employees can in fact become one of your strongest lines of defence. Here are four tips for implementing security awareness and training programmes that can get you real results.

1. Train your teams for their specific security risks 

Take into account the specific risks your business faces. Phishing is the most common attack and will probably apply to every department of every business, but how exposed specific employees will be will depend on the nature of their role.

One popular technique is to conduct internal phishing tests – not to catch your employees out, but to see which departments are clicking on them and what types of messages are getting through.

Beyond phishing, programmes need to be tailored to the other specific threats of each business and department. A marketing assistant and a financial analyst won’t need to be aware of the same threats as an IT consultant. By defining what threats your specific departments are facing, you can eliminate the risk of overloading or boring your staff with training that isn’t relevant to them.

2. Use simulations to make awareness training engaging

Not only are in-person workshop-style programmes unviable in the current climate, but they are often dry and don’t encourage employees to remember or engage with the content. There are other methods you can use, such as LinkedIn-Learning style videos with quiz questions, but what you really need is an engaging programme that sticks in your employees’ minds and gets them excited about security.

Related Resource

Employees behaving badly?

Why awareness training matters

Why awareness training matters - whitepaper from MimecastDownload now

Trial and error has proved that simulation is the best way to teach security awareness. Have your employees undergo simulated attacks tailored to their job and the newest types of threats. For example, some companies run simulations that test the flexibility of their HR teams, seeing if they’re able to cope with a flurry of internal and external complaints about loss of data and downtime. However, these simulations will notably differ from those run with IT teams, which would normally test their ability to get systems back online after an outage

Whether they successfully prevent the attack or not, have them share their experiences afterwards. This will highlight gaps in the company and help inform awareness programmes going forward. 

IBM recently toured the UK in order to provide businesses with a better idea of what's effective and introduce them to the latest cyber security simulations.

3. Create cohesive communication and planning

Once you’ve developed an engaging new programme, you need to ensure that it’s deployed in every department and updated often. Create a formal plan with your IT team for updating the training, as well as a plan for communicating new information to the entire business. The best programme in the world won’t have the desired effect if it isn’t applied everywhere and addressing the latest threats.

4. Involve your staff in their own security training

Don’t make security only something that you teach your employees. Let them also teach each other.

Appoint someone in each department to be the cyber security culture advocate. These experts know their team better than anyone, and can keep them motivated in the business’ security efforts and help to reinforce any training they receive.

Reward the employees that fend off attacks, encourage people to share success stories, and work with those that fall prey to attacks, rather than shaming them.

With these four tips, you can shift the focus of your entire security effort from security technologies to people. Security becomes personal, with your employees’ increasing investment in cyber security only increasing their investment in the company itself.

Now, just make sure to instil security values and training in the onboarding processes of future employees, and you’re well on your way to a solid security culture with people empowered to help protect your company’s valuable assets.

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Recommended

BitMart suspends withdrawals following hack
cryptocurrencies

BitMart suspends withdrawals following hack

6 Dec 2021
Bridging the DevSecOps divide: Spotlight on key relationships
Whitepaper

Bridging the DevSecOps divide: Spotlight on key relationships

3 Dec 2021
Planned Parenthood cyber attack exposes data of 400,000 patients
cyber attacks

Planned Parenthood cyber attack exposes data of 400,000 patients

3 Dec 2021
Bridging the DevSecOps divide: Spotlight on zero trust
Whitepaper

Bridging the DevSecOps divide: Spotlight on zero trust

3 Dec 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Australia film archive gets $41.9 million to digitise audiovisual heritage
digitisation

Australia film archive gets $41.9 million to digitise audiovisual heritage

6 Dec 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021