When it comes to company security, “human error” is a frequently identified factor. However, many organizations have found that their people can in fact be deployed as their best defense against attack. It all comes down to the quality of security education and training these people receive. Proof can be found in the numbers:
- Security-related risks are reduced by 70 per cent when businesses invest in cybersecurity training and awareness (Source)
- Even a modest investment in cyber security awareness and training has a 72 per cent chance of significantly reducing the business impact of a cyber attack (Source)
Yet security education and awareness training is more than a question of if; what a company offers its people is just as critical. High engagement is key. After all, what’s the good of putting employees through round after round of security training when they’re not engaged, when the mere thought of having to attend a session makes them drowsy or desperate to find the nearest exit?
Among the elements missing from or wrong with most security training:
- It’s not engaging – boring, out of context, or too long
- It’s not interactive – doesn’t give learners the opportunity to interact with the material and put into practice what they’re learned
- It doesn’t offer a chance to measure success – It doesn’t give attendees the chance to measure their learning
- It’s all scare tactics – it doesn’t empower employees to do better, but tries to frighten them into changing their behaviour
“We’re always hearing about how people are the key piece of company security,” said Michael Ball, Virtual CISO / Information Security Adviser at TeamCISO. “However, the big challenge for companies is to offer the kind of training that leads to better outcomes for and more intelligent decisions made by employees.”
“Pushing dry, low-quality training sessions on employees will accomplish very little, and can actually have the effect of annoying and/or confusing people. Businesses need to focus on providing security awareness training that’s personal and graspable. There really is no other way to get things to ‘stick.’”
Looking for a starting point? On March 24th, ITWC CIO and Chief Digital Officer Jim Love will be joined by CIRA Business Development Product Manager Mark Gaudet for an hour-long chat about the latest developments in cyber security awareness training. In this free webinar session, Love and Gaudet will also be looking at how companies can engage and transform their people into cyber security evangelists. The session will include a quick look at CIRA’s Cybersecurity Awareness Training platform.