When it comes to training employees about cyber security, it’s not enough to simply tell them to be vigilant; training programs need to engage participants and need to incorporate an assessment of both the employees’ knowledge of best practices and audits of current practice.
After all, just one misstep can have serious negative repercussions for your organization. Here are four tips to improve the effectiveness of your company’s information security programs and cyber security training:
- Instead of just telling employees information, use in-person or web meetings to show them how cyber criminals might try to break through the first line of defense (the employees) to get information. Train staff on how to recognize and handle email communications that could be “phishing” attempts or that might contain malware by actually showing them what attempts might look like.
- Consider creating your own “false phishing” communication designed to look like it is from your IT or HR departments as part of your audit testing, to see how many employees will click on the link and unwittingly provide information. You can incorporate the results of this into your training, without specifically identifying employees who fell for the false phishing email.
- Help make cyber security “real” and useful for employees by training them on how they can be safe with their home/personal computer use. An employee who is vigilant at home is likely to carry those behaviors over into the office too.
- Make sure your information privacy and cyber security programs include elements like:
- Requiring “strong” passwords;
- Implementing safe internet browsing rules;
- Teaching employees how to resist social engineering attacks
- Sharing examples of security breaches and ‘near misses’ in your organization
Employees are on the front lines of the cyber security war, so empower them to be watchful and mindful of potential threats.
However you structure your cyber security training, don’t take a “once and done” approach; cyber security should be a component of ongoing communications and training sessions. New threats can emerge at any time, so by having a flexible training program, you will be in a position to incorporate new information and recommendations to everyone.
Published by Matt Plass and Dan Brown