By: Cybrary Staff
October 20, 2021
Cybersecurity Awareness - Cybersecurity Training For Employees
By: Cybrary Staff
October 20, 2021
Cybersecurity Awareness Month: Building a comprehensive security training program With cybersecurity skills in short supply, investing in employees with comprehensive training and certification preparation has never been more crucial.
Summary: With October being Cybersecurity Awareness Month, now is the perfect time for organizations to consider investing in their employees to improve their in-house cybersecurity capabilities. This guide looks at what it takes to build a comprehensive cybersecurity training and skills development program.
According to Verizon’s 2020 Data Breach Investigations Report, two-thirds of data breaches targeted people rather than technological vulnerabilities. These included social engineering attacks, human error, and the theft of weak login credentials.
Such findings highlight the fact that any robust information security program should start with people. Employees are on the front lines concerning cybersecurity, regardless of their roles in the organization. Often, all it takes for an attacker to gain access to a business network is a simple mistake born of poor cybersecurity hygiene.
The need for security awareness training
Building an effective and comprehensive security training and awareness program can be a daunting task. Cybersecurity leaders are widely still viewed as living in a bubble, with little understanding of business needs and goals. Furthermore, it is often difficult to quantify and qualify an individual employee’s ability to do their part to protect themselves, their colleagues and customers, and the organizations they work for. Many employees still view cybersecurity as a technical challenge and the sole domain of the IT department. Without an organization-wide training and awareness program, it is hard to blame them too.
Many mistakes that lead to severe data breaches are also woefully simple. Sometimes, it may be something as simple as a weak password, leaving a device unlocked for a short period, or falling for a targeted phishing email. Most businesses already have an established program for raising awareness of these common issues, but they are not always as effective as they need to be.
Building information security advocacy
Any effective security awareness training program requires strong leadership. In the enterprise environment, this role typically falls to the Chief Information Security Officer (CISO). Perhaps the most challenging aspect of this role is capturing C-level support, which requires alignment between business needs and cybersecurity demands. With the traditional approach to organization-wide security awareness, conflict is almost a certainty. Security leaders must position themselves as champions of innovation rather than leaders of the so-called Department of ‘No’ to get around this.
It is easy for many C-level employees to fall into the trap of thinking that technology alone will solve the problem. The reality is that security awareness is all about corporate culture, and it starts and ends with organization-wide accountability. For CISOs, this means assessing the behavior of employees, regardless of their ranks and roles, and communicating in terms that they can understand.
Where business leadership is concerned, this means aligning security awareness training with desired business outcomes, such as reduced reputational risk, increased profitability, and the opportunity to innovate without fear.
With other employees, it is essential for security leaders to focus less on the needs of the business and more on the personal and professional benefits to employees themselves. After all, delivering a comprehensive training and awareness program is highly advantageous to employees’ professional development and digital security in their personal lives.
In the end, it is essential to communicate the fact that everyone is a potential target, whether at home or work – regardless of the organization.
The importance of engaging training content
Unfortunately, most security awareness and training programs are ineffective because they are unengaging, repetitive, and often downright dull. For example, traditional seminars typically take the one-to-many approach, whereas awareness training needs to be team-driven. As a result, employees often view such training programs as a burden, especially when expected to attend them outside of their usual working hours. Simply providing books and other reading materials is also largely ineffective since there is no practical element to help familiarize people with real-world use cases.
That said, it is no secret that people learn differently. This is also why cookie-cutter training content will not do the job. Content, including learning and career paths, must be tailored to the unique needs and preferences of the individual. Employees in different roles also require varying degrees of training in certain areas. For example, those in non-technical roles do not need to know all the ins and outs of identity and access management (IAM). Still, those in administrative positions most certainly do – even if these roles are not primarily technical. On the other hand, there are some areas all employees should have at least a baseline level of knowledge in, such as phishing.
It is vital for security leaders to first diagnose the existing skills gaps in their organizations, just as they should routinely audit their technical infrastructure for potential vulnerabilities. With targeted assessments and advanced analytics, leaders can view their current security postures and personalize employee skills development accordingly.
When seeking out engaging training content, business leaders should take care in choosing the right provider. For example, a full-fledged workforce development program that makes extensive use of hands-on training in simulated real-world environments is vastly more valuable than traditional workshops and seminars. Online training is also ideal for providing the flexibility to allow employees to learn either on the clock or at their own pace. Other proven measures include gamification and real-time analytics that motivate trainees by showing them their current progress and keeping them aware of their goals.
In other words, training does not have to be boring – it can instead be enjoyable and engaging. It should be something people look forward to – not dread. It is far easier for security leaders to champion such programs and build a security-aware workforce where employees go from being the weakest link to becoming a human firewall against the myriad threats out there.
Cybrary for Teams is an all-in-one workforce development platform that helps organizations develop stronger cybersecurity skills, prepare for new certifications, and track team progress.