Effective cybersecurity involves a combination of robust automated processes and alert, well-trained employees. This means that you have to deliver cybersecurity training which equips employees to do their job safely, but doesn’t overload them. With that in mind, here are eight dos and don’ts for creating a cybersecurity training program.
Do Have Your Automated Cybersecurity Systems in Place First
You want automated systems to carry the bulk of the security load. Your employees should just be your “rear guard”. Their task is to undertake last-stage checks and fill in gaps where automated security solutions are still weak, for example, during live phone conversations.
Remember that modern cybersecurity has to protect remote and mobile users (and their devices) as well as people working from designated business premises. As a minimum, have all remote and mobile employees connect to your network over a VPN.
Don’t Rely on Default Solutions and/or Free Software
When it comes to application security, there is no silver bullet; a multi-layer approach is always required in order to ensure that the software you create is secure.
With the industry creating newer and more inventive tools constantly, including tools that combine multiple aspects of security testing, we can all be confident that software developers will continue to create rugged, safe, and high-quality software.
For that matter, there are now many great security tools available on the software-as-a-service (SaaS) model. The headline benefit of this is that companies can swap expensive up-front licensing fees for affordable monthly payments. Another benefit is that companies can scale their licensing up and down in line with their business needs.
Do Tailor Your Cybersecurity Training to Different Job Functions
The key to any sort of successful training is to keep it relevant. Some elements of cybersecurity training may need to be delivered to everyone. In many cases, however, there will be variations in what people really need to know. Sometimes these variations can be huge.
For example, front-line workers may need training on how to handle social-engineering attempts made over the phone or in person. Back-office workers, by contrast, may not have much, if any, contact with external parties, but may need training on how to identify phishing emails.
Don’t Encourage Staff to Try to Solve Problems Themselves
Cybersecurity is the exception to the old business saying that it’s better to hand someone a solution than a problem. Even with cybersecurity training, employees trying to fix problems themselves are likely only to make matters worse.
The core premise of your cybersecurity training should be that employees should do what they can to identify security problems and alert the IT team. Make it clear that nobody is going to get into trouble for this, not even if they made a mistake. Ideally, give them some idea of what will happen next.
For example, if you’re talking about how the IT team might deal with a suspected virus download, let them see a remote desktop in action. If you’re talking about ransomware attacks, then explain how you use encryption and backups to protect against them.
Further reading On Training Employees: Is it Worth the Risk?
Keep Your Cybersecurity Training Focused on Real-World Issues
Educating your employees to trust your IT team helps to reduce the temptation for them to try to fix problems themselves. Develop a comprehensive understanding and educate your staff on how the web works to better solve complex problems. Establish problem-solving practices and logic for understanding advanced programming concepts.
Remember that these issues may change over time, often in line with changing working practices. For example, over recent years, cyberattackers have been moving away from old-school “spray and pray” tactics and towards more sophisticated attacks based on social engineering.
Putting this together with the present need for remote working and the challenges of implementing it safely, it’s easy to see how companies are being left vulnerable to ransomware attacks.
Further reading Takeaways From 2019 Ransomware Attacks on MSPs
Do Deliver Cybersecurity Training in the Format That Best Suits Your Trainees
There are lots of different training approaches you can use. Ultimately, however, they all boil down to a choice between live training (even if it’s delivered remotely) or self-guided training. Neither of them is objectively right or wrong for any situation, let alone all situations. It’s all about what’s best for the trainees.
Don’t Make Your Cybersecurity Training All About Threats and Fear
It’s easy to paint security as being all about anticipating and preventing threats in order to avoid a company being damaged. This is true, but fear-based training can be a miserable experience for the participants and this is not good for anyone.
Instead, make a point of educating your staff on how learning about cybersecurity can benefit them. For example, you can explain to them how implementing effective cybersecurity measures can help companies to earn consumer trust and give companies an edge over their competitors.
Always highlight all the ways the cybersecurity training can be used to help your staff keep themselves safe in their private lives as well. For example, you could point out how a good VPN will help them secure their Internet connection, protect their privacy, and conceal their identity, keeping them safe from hackers or anyone else who might be trying to keep tabs on their online activity.
After all, our society is now more digitally connected than ever before, and also more time than ever before is being spent online. Individuals and businesses should be interested in finding a good VPN for their routers, as routers are the gatekeepers to our digital privacy today.
Further reading Guide to End-User Training for MSPs
Do Keep Refreshing Your Training
People may return from a cybersecurity training session full of new knowledge and great intentions but, over time, that knowledge will fade unless it’s refreshed. This means that you absolutely must keep running refresher training sessions. What’s more, you need to keep them varied enough to keep people engaged and challenged.
For example, if you keep repeating the same information in the company newsletter or sending out the same “phishing email”, then staff are soon going to get bored of it and/or wise to it and your effort will be wasted. A good way to get around this is to look for interesting topics in cybersecurity news and build your refresher training around that.
Don’t Make a Big Deal of People Struggling with their Cybersecurity Training
By all means, reward people who do well in their cybersecurity training. Do not, however, make a big deal out of people struggling with it. Give them all the support they need until they grasp it. Then make sure that they continue to receive ongoing support for as long as they need it. This may be indefinitely.