There’s little point in training employees about cybersecurity if the organization doesn’t have a security policy: You can’t go to these websites with a company mobile device, passwords have to be X words long ….
However, an expert warns cybersecurity training shouldn’t be based on corporate policies.
“People hate that,” said Ian Mulholland, a research analyst in the security, risk and compliance practice of London, Ont.-based Info-Tech Research. “That’s why they don’t like reading policies.
He added leaders “need to take an approach from the person’s standpoint. You want to take all of the topics you want to train on and think not ‘How do I train you to be more secure at work,’ but ‘How do I train you to be more secure in life.’ Because they’re going to take those skills home.
“You can talk about how phishing emails are not just something you experience at work: ‘Spam is something we see everywhere. If you do something wrong it can [also] hurt you at home.'”
Don’t scare employees, he emphasized. “You want them to understand this is not just about protecting you at work. This is about protecting you at home. If you take that approach people are more willing to listen. And then people are more willing to talk about security with their families when they go home at night. Then you breed a culture that said, ‘This company’s not just doing it to save their own butt, this is a company that wants to help make the world more secure, and it’s a bonus that it helps reduce risk to the organization.”
Although it might not be expected, a large number of Canadian and American organizations — including enterprise-sized firms — hire cyber security awareness firms to train staff rather than create their own programs, Mulholland said.
These firms include KnowBe4, Mimecast, Ninjio, MediaPRO, Wombat Technologies, Infosec Inc. and Terranova Security of Laval, Que. Some providers can customize their training (for example, change idioms in the material), while others don’t.
“I’m pushing almost everybody to hire a vendor mainly because they’re cheaper than most security products out there, and the amount of effort to build this kind of content yourself is so much larger than the annual cost of buying training from vendors. They’re basically taking all the work out of your hands. All you have to do is figure out when the training goes out.”
However, he added, training courses aren’t similar. Organizations have to choose a supplier with content that fits the firm’s culture. For example, some firms emphasize online training, others offer videos. Content can be serious or humorous.
On provider creates videos with several regular characters, Mulholland noted, and its personal trainers will come to offices dressed as those characters. Another firm offers videos made by sophisticated Hollywood animators, which are fun and have fast action.
Generally, Mulholland said, younger staff appreciate content that’s more fun, while older staff like more serious content.
“Nothing will ever beat an in-person session done right…that’s kept short and impactful,” he added. But companies are increasingly finding it’s less expensive to hire a training company than create content.
Training companies usually charge a per user per year rate, with fees dropping considerably for more employees and multi-year contracts. Consider, Mulholland said, that a firm with fewer than 100 employees could find a provider charging $1,000 a year, while a firm with 1,000 employees might pay around $10,000 a year. By comparison, he added, an identity and access management solution could cost $1 million.
Still, some firms may decide they can’t afford to pay for awareness training. Mulholland advises those firms to think about what he said above: The approach should be to make the training relate to what employees do outside of work. In addition, they need to consider how training will be delivered (in person, make your own videos, a weekly/monthly newsletter, what topics will you train on, who will compile the material etc.)
To help create content Mulholland notes there are many free resources on the Internet, including material on the web sites of security vendors. Cofense, for example, has 21 modules that can be downloaded. The SANS Institute offers its Ouch! newsletter (content can’t be changed, but you can distribute it or design around it), and there’s a site called The Security Awareness Company which has a range of posters, videos and documents.
Whatever way you go, Mulholland concludes, security awareness training efforts must have an executive sponsor. “People are more willing to listen if it’s not coming from IT.”