Andrea Danti - Fotolia
Cybersecurity professionals might have heard the following phrase in recent years: "If cybersecurity awareness training was going to work, it would have worked already." Usually, this saying is to disparage cybersecurity awareness training as an ineffective, pointless waste of time and money.
But what is cybersecurity training, exactly? It is formal and informal education about information technology risks. It is formal in that people are required to take specific training sessions. It is also informal because in addition to these mandatory training sessions, there is a continuous emphasis on cybersecurity at senior staff meetings, through the employee review process and via frequent reminders about the daily responsibilities that come with cybersecurity vigilance.
Effective cybersecurity awareness training
An effective cybersecurity awareness training program will not be a waste of time and money. In order to be successful, however, it has to accomplish a few goals:
- Inform employees of cybersecurity risks. Provide examples of businesses that have been negatively impacted by cybersecurity issues. Elaborate on potential decreases in productivity, jobs lost or how employees are placed at risk if their personal and financial information is not protected during a cybersecurity breach.
- Educate employees about the specific cybersecurity policies and procedures of the organization.
- Tell employees why they should care about cybersecurity. They must know that it is in their best interest to be aware of their cybersecurity role and how they benefit in terms of productivity, safety and job protection.
- Inform employees about their cybersecurity role and responsibilities. Explain that they can be part of the effort to offset a shortage of cybersecurity skills in the United States as well as worldwide. Reduce uncertainty with employees regarding their roles and responsibilities in regards to cybersecurity.
- Designate concrete ways they can contribute to improved security. Use periodic reviews and training assessments to ask how employees make day-to-day use of their training.
- Make cybersecurity measurable. Set specific cybersecurity goals and come up with indicators and metrics for them.
Cybersecurity and business
The best way to ensure cybersecurity training avoids the perception of being "ineffective, pointless, and a waste of time and money," is to (a) make cybersecurity a part of the organization's risk management process, and (b) make cybersecurity training outcomes measurable.
If cybersecurity is part of the organization's risk management process, the organization should have cybersecurity risk reduction goals like the following:
- Reduce the number of malicious emails that reaches a user's desktop.
- Reduce the number of instances where employees click on malicious links.
- Reduce the amount of resources spent on responding to cybersecurity issues.
With a risk reduction approach, cybersecurity awareness training becomes a clear supporting element of cybersecurity goals by reducing, if not eliminating, the uncertainty around why cybersecurity awareness training is being done. This approach also provides justification for required training expenditures.
Choosing cybersecurity risk reduction goals that are inherently measurable makes it easy to see the impact that cybersecurity awareness training has on achieving important business goals. Knowing the number of malicious email links that users have clicked on over a 90-day period before and after training on email security clearly demonstrates the effectiveness of the employee training. Additionally, knowing the cost associated with users clicking on malicious email links before and after that same training clearly demonstrates its ROI.
Elements of a cybersecurity awareness training program
Your organization's cybersecurity awareness training program should have the following elements:
- Training about how to recognize and avoid the most prevalent cybersecurity problems: email phishing, spear phishing, malware, ransomware and social engineering attacks.
- Training about the specific cybersecurity issues important to your organization: intellectual property protection, security compliance, and protection of employee and customer information.
- Inform employees how they will benefit from participating in a cybersecurity awareness training program.
- Make cybersecurity performance and cost improvement measures quantifiable.
- Use both formal as well as informal cybersecurity awareness methods that provide daily reinforcement about the importance of cybersecurity.
Overall, a cybersecurity awareness training program is an essential part of the organization's risk reduction effort. This will require clear connections between cybersecurity training and the business goals that it supports. It's vital to remember that cybersecurity in the workplace is everyone's responsibility: Training programs should stress how individual employees can influence the overall security environment at an organization. Through these cybersecurity awareness trainings, company leaders can help foster a workplace culture that is cybersecurity literate and helps ensure organization-wide data security.