More than ever, chief security officers are being held accountable for keeping their business safe. Phishing attacks, data breaches, ransomware and the ever-increasing access by employees to technology and data are driving this accountability. But there’s only so much that technology solutions can do to protect against threats.
What else should organizations do? It turns out that most breaches are the result of an employee mistake, so looking to their staff as their first line of protection is a critical success factor today.
Security awareness training is now recognized as one of the critical components of a robust security architecture. But are employees getting the security awareness training they need and deserve? Unfortunately not. Too many organizations still choose to provide no security awareness training at all, or simply provide annual PowerPoint-based training program, or training that is dry and difficult to understand.
Employees often think they’re prepared or think “that’ll never happen to me”—until it does. Then the employee often is too ashamed to go to their boss or IT department after an incident occurs.
Traditional training doesn’t work
The information and best practices the employee received from training were never understood, didn’t seem relevant, or just didn’t come back to them.
What happened? Cyber attacks aren’t changing every five years—it’s more like every five months—and organizations can’t afford to fall behind on security training..
Employees must be armed with the knowledge and skills to protect themselves and their organizations. Traditional, outdated training does little to prepare workers for the deluge of cyber attacks they face, or the risks they create for themselves. There are ways to make a change in the workplace.
Instead of training employees as a passive observer, make training interactive and teach actionable, real world skills.
Recognize that hacks happen
Instead of instilling a mind-set that an incident must never happen, give employees the confidence to speak up, even if they make a mistake.
Instead of focusing solely on security, focus on learning, too. Make training brief, fun and sticky so that it is always top-of-mind when needed.
Instead of focusing on a single type of risk, prepare employees for the range of security threats they’ll face, whether from an external cyber attack or from their own use of technology or access to data.
Hacks can happen even if the staff practices security procedures. Look at the victims of the Twitter Counter breach. No actual Twitter accounts were hacked, but a third-party application was, and the hackers left unnerving tweets on organizations’ accounts. Employees should be prepared for events like this. Practicing real-world scenarios can help prepare for the worst-case events. Training needs to keep up with the technology employees are using and the risks they face.
It’s time to stop using outdated training techniques and for organizations to invest in its employees and assets by providing security training that will make a difference and change the behavior of its staff. They can’t afford not to.