Cyber security awareness training for employees: The ultimate guide [+ eBook]

National Cybersecurity Awareness Month has just ended, but the continuous work to raise awareness isn’t a one-off or contained to a set period. It’s an organic continuous process. This year’s theme applies to you: 

Do Your Part. #BeCyberSmart.

The theme highlights the individual and organization’s responsibility to protect their internet-connected devices at home and work, personal accountability, and the importance of proactive measures to enhance cyber security.

During an average week, we spend a lot of time taking safety measures. We put on our seatbelt every time we get in a car. We wear a helmet when we ride a bike. We check the street for cars before crossing the street. We have burglar and fire alarms in our homes. 

Then we log into our computer, and safety goes out the window.

As an organization, the responsibility of cyber security falls on the IT and/or security teams. But at its core, security is not a technical problem—it’s a people problem. Employees who don't have a security background, often don't know how to keep their data and devices safe. And they often don’t know how they can contribute to the organization’s overall cyber hygiene. Employees need to understand the threats to be able to help safeguard against them.

However, with a more proactive approach, you can educate your staff without taking them away from their day-to-day work, whether it’s at home or in the office. Proactive measures help them protect the organization, ensuring increased personal accountability. 

Demystifying cyber security is essential in raising security awareness. Making security easier to understand will make it more simple to improve. And it’s no longer acceptable to not have security policies in place—in either your professional or personal life. Personal life threats are often forgotten, but can impact the reputation of your company. It is therefore important to train your employees to follow the same good practices in their personal lives as they should at work.

When we hear the phrase insider threat, we tend to think about the Capital One’s rogue employees of the world. The insiders with an intentional motive to harm. But insider threat (or insider risk) is more than that–it is malicious, negligent, and accidental behavior ultimately leading to data theft or loss.

Based on UK’s Information Commissioner’s Office (ICO) numbers, 90% of data breaches in the UK are due to human error—employees without malicious intent with potentially damaging actions (Infosecurity Magazine). If humans are considered the most vulnerable of an organization’s security, how can you be part of changing the statistics?

Traditional methods include classroom training and online e-learning courses – typically completed when employees join the company with annual refresher courses. Simulated phishing attacks are also a popular method where companies try to trick employees, so the employees can learn from their mistakes. As well as the Information Security Policy, Acceptable Use Policy, and/or similar, which is typically signed at the beginning of a work relationship. Although these methods can help, they are still insufficient considering that human errors are accredited to 90% of data breaches (mentioned above). 

Cyber security needs to be a part of employees' everyday life, with an Acceptable Use Policy that works autonomously with them.

Consumer apps, such as Facebook, Apple, and Twitter use authentication to increase their security when you’re logging in from a new location. Users aren’t annoyed when Gmail wants to confirm that they’re in Nigeria or when Instagram asks if they’re in Thailand. It’s designed so they never see an unnecessary obstacle, making it acceptable when an alert appears for a legitimate reason.

The thought of cyber security is perceived as complex and confusing; an alien part of technology meant to instill fear in them. Because consumer cyber security has a higher focus on usability and does most of the (magic) work in the background, most people are unaware of the depth of protection they’re seamlessly provided. 

The complexity of how we talk about cyber security has made everyone, except the security experts, indifferent to securing their personal and business devices.

The enterprise cyber security industry uses scare tactics and war analogies to create fear, uncertainty, and doubt. Once you know why cyber security is important, there’s no need to talk about the sky falling. The industry victimizes people by saying, “you will be next without product X” and “turn the table on your enemies with product Y.” Being a victim of endless attacks isn’t something most people can relate to.

Few people know how to protect their digital lives themselves, both at home and at work, leaving most feeling unsafe—in the end, pushing the problems away by ignoring them.

As important as it is to get a security awareness program in place, it is crucial to get buy-in from stakeholders and upper management. A good security policy should be as important as the company’s sales targets and evangelized by the CEO and senior management team. Without it, the program will fail before it even begins. 

A risk assessment can help your organization know where to begin. With a lack of visibility into your organization’s gaps, it’s hard to set goals for what needs to improve.

• Are employees working remotely or in the office? 
• Are employees using mobile devices to work?
• Are people bringing their own devices (BYOD)? 
• Are employees allowed to install applications or are you locking down work devices? 

Other typical subjects include passwords and two-factor authentication, malware, (email) phishing or (phone) vishing or scams, clean desks, USBs or other removable media, software updates (patching), and social media safety.

Move from static policies that live in a paper document to enforceable digital policies that live with the organization’s and employees’ needs. As mentioned in the beginning, security is an organic ongoing process that needs to be tweaked based on new behaviors, requirements, and threats.

Introduce specific training based on job roles, skills, and needs, for example, anti-bribery for sales and GDPR throughout the organization. 

Incident-based training can provide you and your team with autonomous, real-time security education regardless of location, based on specific actions and behaviors putting you (and your organization) at risk of cyber crime.

The incident-based training can autonomously educate your employees and your workforce on the organization’s Information Security Policy or Acceptable Use Policy.

For example, when employees are at risk of breaking the IT security policy, you can guide them to make the right decision with your organization’s data. All of this happens in the moment—meaning you don’t have to pull them away from their day-to-day work. 

Trends and threats change, as well as employees’ behaviors. As such, so should your security. Encourage your employees to be part of the security—get them involved to feel responsible for and protect your organization.

As an extra layer of protection, introduce a ‘blue’ and ‘red’ team that tries to safeguard and attack your organization respectively, where their main responsibilities are to analyze data and generally improve security. Use the results to target additional training at those who need it.