Cyber Security Awareness Training and its Importance
Cyber security awareness training has never been more important with cyber crime estimated to cost UK businesses £21 billion per annum. What’s more the frequency of cyber attacks has been increasing since the COVID-19 pandemic began in March 2020. This further stresses the need for businesses to make their staff aware of the various cyber attacks that threaten their company. What is cyber security awareness training though, and how do businesses ensure that training of this type, is as effective as possible?
What is cyber security awareness training?
Cyber security awareness training is a means of educating your staff about possible cyber attacks. It should help individuals spot potential attacks or breaches, teach them what they can do to mitigate risk and give them a better understanding as to how to react to a cyber security incident. Cyber security training can take multiple approaches. It can be delivered in a classroom, via software, video or demonstrations, by studying the risks or simulated breaches. However, the best approach is often multi-faceted and takes into consideration the specific circumstances of your organisation. A multifaceted approach ensures that individuals with different learning styles are able to understand what is being taught. It also helps keep the content interesting for all. Keeping your staff engaged and interested in cyber security awareness is paramount so that they don’t miss any vital information, which could be the difference between keeping your company safe or not.
Meanwhile, it’s important to take into consideration the specific circumstances of your organisation as this may dictate whether you’re more or less likely to experience a particular type of attack. For example, if your staff take laptops home with them, the risks are very different to desktop computers that remain in the office at all times.
How to plan cyber security awareness training?
The best place to start with cyber security training is the basics. This will usually take the form of online training, that identifies the different types of threats and some basic information about how to spot them. Training of this sort is very generic in nature, but it’s a good starting point. It sets the foundation for additional training. Without knowing what the threats are, it is impossible for your staff to spot them!
Once your staff have a basic understanding of the main threats, the next stage is to put some of that knowledge into practice. You can utilise security training that increases awareness by staging mock attacks or breach attempts. These are harmless simulations that test the knowledge and understanding of your staff in real-time as it were. For example, you can send simulated phishing emails to your staff to see if they can identify the malicious emails or not. If they click on a would-be malicious link, your system is completely safe. Instead, you and the individual gets a notification, that allows you to provide specific training for that person in order to help increase their personal knowledge and awareness.
Once you have this type of cyber security training in place, the third and final stage is to implement training bespoke to your own business and context. This may require the assistance of an IT consultancy company who can provide you with some assistance. Essentially what you’re looking to do is identify areas that you’re at specific risk for. For example, do your employees use mobile phones or do you have a remote workforce? You will need to be aware of how these contextual factors change the cyber security risk for your business so that you can make your staff aware accordingly.
As well as additional protection, there is an added benefit of making your staff aware of the specific risks associated with your business – engagement! Generic advice can get boring quite quickly, especially for people that aren’t that interested in technology. By applying generic learning to your specific business, people can identify with the risks, in reality, making them more engaging and more likely that your employees will take the advice on board.
In summary, you should;
- Provide your staff with cyber security awareness training.
- Test the awareness of your staff in a simulated and safe environment.
- Apply your understanding to the specific context of your business.
Building a cyber aware environment.
Cyber security awareness should become part of your company’s culture, and not just a once a year (or worse – once only!) tick box exercise. Cultivating this security-aware culture is difficult, but not impossible. The best way we’ve found to do this is to start at the top and work down. If the people in charge take cyber security seriously, there is a likelihood that the rest of the business will follow.
To start this process, ensure cyber crime and cyber security is something that is openly discussed in the workplace. It shouldn’t be a taboo subject. Make it real. It’s really important to make discussions around cyber security feel safe. You want staff to feel comfortable discussing concerns, reporting incidents and sharing issues and feel safe doing so. If they feel like they may be ridiculed for asking a question or reprimanded for making a mistake, then there’s a strong chance they’ll conceal any security issues and this is a big problem. It’s much better to have an employee that is over-zealous and checking things, than one that is complacent and doesn’t. It’s the complacent employee that is a much bigger risk to your organisation.
The challenge to make cyber security awareness training more engaging.
The IT sector has been trying to make businesses aware of the threats of cyber crime for a long time. Lots of people will have been told about secure passwords, and yet there are still plenty of people that use poor passwords, store them in an insecure fashion or use the same (often bad) password more than once. This is because people have gotten desensitised to the warnings, and this in itself is a challenge businesses need to overcome. Everyone ‘knows’ that passwords must be secure, that updates must take place and that suspicious emails must be consigned to the recycle bin, but evidently, the actions aren’t following that supposed knowledge.
This means we must all act a little differently when it comes to cyber security awareness training. Education and training are widely considered two of the best means of combating cyber crime, especially given that end-users are one of the biggest weaknesses. However, this education is clearly, for the most part, not getting through in a tangible manner. The numbers continue to rise, and whilst there are other factors at play, the increasing reliance upon technology in the workplace for one, it is evident that employees have a role to play.
We believe that the best way to achieve this is through education. However, improvements must be made to the way in which this is delivered. Employees are increasingly busy and live stressful, high-pressured lives. Cyber crime, on the surface at least doesn’t appear to affect their day-to-day so there’s minimal incentive to focus upon it. As things stand, cyber security runs the risk of becoming somewhat similar to mandatory training exercises concerning health and safety – a tick box exercise, that once completed annually, is quickly forgotten.
So with this in mind, and as a business in the IT industry, what do we think can be done to improve cyber security training and education on the subject? There are three key improvements that we think would make a real difference.
- Making training more creative, imaginative and enjoyable, but also relatable.
- Eradicating a blame culture towards those users that fall foul of cyber crime.
- Promoting improvements in personal behaviour that can be reflected in the workplace.
Making training more creative, imaginative and enjoyable but also relatable.
This improvement is almost a given, but it has to happen quickly. As mentioned previously, we have seen what overly formalised, unimaginative and frankly, dull training methods have done for health and safety. Health and safety is no doubt a hugely important aspect of everyone’s working life, and yet every year plenty of accidents still occur in situations that have been covered in depth during training sessions. The reason being health and safety training has become in some instances a means of meeting requirements and not one of meeting its original aim to reduce injuries at work.
Cyber security awareness cannot afford to go that way. The wrong click of a mouse button could feasibly close the doors of a business costing jobs and livelihoods for those employed. The WannaCry cyber attack that affected the NHS, resulted in 19,000 appointments being cancelled, which could have had numerous additional complications as a result. Therefore, training needs to be engaging and more than just a slide show or a presentation. If workers enjoy their cyber security awareness training and can see where it relates directly to their day-to-day, there’s a higher chance they’ll take that knowledge back into the workplace.
One example of this is a number of workshops that are run by the South West Regional Cyber Crime Unit, who have kindly ran a workshop for us in the past. These workshops use Lego and what is essentially a roleplaying game, in which the participants (non-technical, decision-makers) manage the cyber security of a water processing plant. When we spoke to those that attended this workshop sometime after the event itself, they not only said they’d enjoyed their morning but had practical advice they had applied in the workplace. Some of this applied knowledge would have no doubt been existing knowledge, just repackaged in a fun and engaging way, in the shape of many different Lego blocks!
Eradicating a blame culture towards those users that fall foul of cyber crime.
When a mistake is made that could have huge ramifications for a business a natural reaction is often anger. However, this tendency to want to punish incorrect behaviour is actually counterintuitive when it comes to fighting cyber crime. Whilst we wouldn’t ever advocate against the punishment of malicious behaviour, it is important for businesses to accept the difference between a deliberate act and an honest mistake. Unfortunately, mistakes do happen.
When they do, it’s important that we don’t seek to blame these individuals, as doing so will only make them (and others around them) more reluctant to come forward in the future, should something similar happen. In the event of a mistake being made, you want to know precisely what happened as soon as possible after those events took place. Blame culture impedes this. If an employee is worried or even scared about the ramifications of a mistake, they could delay telling you, or leave out critical pieces of information. In the worst-case scenario, they might not tell you at all!
Instead, we should be encouraging users to be as open and honest about their behaviours as possible, and when genuine mistakes are made, we should be giving them the confidence to come forward and pass on the relevant information to those that need it. Cyber attacks are designed to fool the recipients, so let’s not forget that those that fall foul of cyber crime are victims of a malicious act and are not complicit in the act itself. By engaging positively with these individuals and teaching them about the specifics of their situation, whilst encouraging an open and transparent culture to cyber crime, you will minimise the likelihood of threats being successful in the future.
Promoting improvements in personal behaviour that can be reflected in the workplace.
By and large, cyber crime is seen predominantly as a business problem, when in fact it’s a societal one. The reason employees are still responsible for a third of all breaches is due to the inherent weaknesses of users. Unlike machines and software, they have emotions, they get stressed and tired, feel unwell and forget things when under pressure. In other words, there is context to the way in which users operate.
Unfortunately, as we now adopt IT into our lives outside of the workplace, we’re bringing many bad habits with us into the office, and when things are difficult, we rely on those habits and not necessarily on best practices. For example, because we’ve used the same password for every high street brand when buying clothes online, we think nothing of using the same password for the new piece of accounting software the company has just purchased. After all, by using the same password, we won’t forget it right? The problem is, the more we use technology badly outside of the office, the more comfortable we are with those bad practices when we’re back in the workplace.
This means we need to start approaching cyber crime on a personal level and encouraging better behaviour at home and in our personal lives. People might not worry if their employer loses £1,000 to a phishing scam, especially if they’re a large business or have cyber security insurance. However, they’d almost certainly react differently if they lost £1,000 themselves. As employers, if we can get people to consider how their behaviour might affect their personal lives, and build good practices from there, then we can expect individuals to carry that positive behaviour and heightened awareness back into their working life.