Three Core Elements of Your Cyber Security Awareness Program
Three Core Elements of Your Cyber Security Awareness Program
Security awareness training is essential for organizations of all sizes. Human error remains the root cause of most major security incidents. Therefore, companies need to invest in cyber security technology and in building a “human firewall” in their organization, through security awareness, education, and development.
Some e-learning vendors promote a set-it-and-forget-it approach to online security awareness programming. However, making a real difference for your employees and company culture is easier said and than done. A one-size-fits-all approach simply won’t do.
In thinking through your security awareness approach, consider these three core elements of well-rounded program:
1. Tiered Training
Every organization will have corporate hierarchies and unique roles. Each role should have different cyber security training requirements. For instance, leaders and executives have access to proprietary information, intellectual property secrets, and sensitive systems such as financial, accounting, banking, and HR systems. On the other hand, front line employees confront the daily onslaught of social engineering attacks, such as those targeting customer service centers, or criminal and fraudulent activity in retail store environments. Suffice it to say, the needs of executives vs. front-line employees are vastly different.
Therefore, organizations should invest in tiered training and awareness programs that are tailored to specific employee roles. Certain staff, such as non-customer facing office roles, may only require basic security awareness training. Executives and leaders require a lot more, because they often handle sensitive employee, patient, customer, or financial information. Certain leaders will also be privy to trade secrets and intellectual property. Leaders in these roles require both general security awareness programming, plus additional specialized training for handling highly sensitive information and use of specialized software tools and IT systems. Lastly, IT staff require all of the above, plus additional ongoing skills development, software training, and best practices education. Cyber security is a rapidly changing field and IT personnel need to stay abreast of the changing threat landscape and constantly evolving security tools for practitioners.
2. Incorporate Principles of Adult Learning
Training and developing the workforce is both an art and a science. Sadly, it is often done poorly. Nearly everyone has been through boring and ineffective corporate training involving hours of classroom style lectures and presentations. Death by PowerPoint is no substitute for engaging and truly educational programming.
The key is to incorporate principles of adult learning. There is a large body of science around the effectiveness of various training and development approaches. By definition, training in the workplace is primarily consumed by adults. Adult learners are practical and will want to know “what’s in it for me?” in the context of a training. It is vital to share the benefits of training to the learner, even if it is seemingly obvious. Keeping one’s job, staying compliant, making more money, and/or getting promoted are all tangible benefits to the adult learner in the workplace. Surfacing and discussing these practical benefits will drive higher levels of student engagement.
Adults don’t just have different motivations. They are receptive to different learning styles and approaches. Generally, adults will appreciate programming that incorporates role plays, simulations, hands-on exercises, and “teach backs.” In today’s technically driven economy, a lot of training involves best practices, and specialized software tools and equipment. Training for these applications must include practical, hands-on exercises, usually in a simulated or sand-boxed environments. Security awareness programming should incorporate principles of adult learning to drive higher levels of engagement and retention and ultimately, the creation of a security awareness culture inside the organization.
3. Include Micro-Learning Approaches
One of the greatest challenges in cyber security awareness is raising the cultural bar across the organization at all levels. Naturally, the larger the organization, the greater the challenge it may be. For too long, the approach for most security awareness programs has been the dreaded annual security training. In such situations, there is often an arbitrarily deadline for the consumption of a few hours of poorly crafted, online training content, which is mandatory for 100% of the organization. Running the gauntlet does little for building a security awareness culture inside an organization.
For broad-based security awareness programming, there is a better way and it involves micro-learning. Micro-learning ditches the artificial annual approach and instead breaks training down into small, bite-sized chunks spread randomly throughout the year. Studies have shown that while the retention rates of annual training are abysmal, micro-learning engagement and compliance are vastly higher. Knowledge retention and behavioral changes are greatly improved with this approach. Micro-learning should incorporate multimedia, quizzes, and gamification and should take no more than three minutes to complete per session. Fortunately, many of the “training as a service” companies are embracing the micro-learning approach, whether the content is for security awareness, health & safety, or sexual harassment prevention.
New and existing clients can learn more about Protek’s approach to security awareness programming in our managed service offerings by setting up a consultation time with Michelle Lawson.
Eric is the owner and CEO of Protek Support and is a CISSP (Certified Information Systems Security Professional). He graduated from Utah State University with a Bachelors of Science degree in Business with an emphasis in Information Technology (IT). He is an IT Services expert in a variety of technology related fields. Some of these fields include document management software/hardware, enterprise level networking and VoIP phone systems, as well as large scale software implementation projects and the setup of small business networks.