According to a recent report by McAfee, the cost of cybercrime to the global economy has increased from $500 billion in 2014 to $600 billion in 2018. Because the single most significant threat to an organization’s cybersecurity is its people, learning leaders are key to creating more secure and cyber-aware organizations.
Education is one of the best ways to prevent hacks and other cybercrimes from hitting your organization. Instead of using one-off, targeted courses, experts recommend ongoing awareness-building and training. That’s the goal of MediaPRO’s new SaaS platform, LearningLAB, which helps organizations create and deliver a comprehensive awareness program tailored to their employees. “Cybersecurity and privacy risks exist in businesses of every size,” says Tom Pendergast, chief strategist for security, privacy and compliance at MediaPRO. “We’ve built a year-round program that includes risk assessment, phishing training and reinforcement.” LearningLAB will enable users to brand the platform and decide on types of content and frequency of delivery based on their company needs.
Making Cybersecurity Training More Engaging
Compliance training is notorious for being boring – or at least for having that reputation. “Not that many people are fascinated by cybersecurity and privacy,” Pendergast says. “Part of building a risk-aware culture is overcoming either that reluctance or that training fatigue that people have.”
It’s also important to make training relevant, says Colleen Huber, director of e-learning, design and development at MediaPRO. Employees often think cybersecurity and privacy is “an IT job, when in fact it’s IT, it’s the C-suite, it’s everybody down to the people who are taking credit cards at a cashier’s stand.” Personalize training to different roles, and help employees in every department, at all levels, understand that “it just takes that one slip-up by one person to create an incident.”
Pendergast recommends using microlearning and “a variety of different communication techniques” as well as metaphors to help non-technical employees understand technical content. For example, MediaPRO created a video on virtual private networks (VPNs), comparing them to safe bridges that transport travelers safely across a dangerous sea.
Isaac Kohen, founder and CEO of Teramind, writes that lack of periodic, engaging training “is probably the biggest indicator of a lack of empathy for employees.” He recommends “a solution that incorporates, short, bite-size communications, interactive challenges (like phishing simulations) and real-time coaching after a misstep.”
“Recurring training is essential,” writes Brett Williams, co-founder of IronNet Cybersecurity. “Technology changes every day. Those changes bring great opportunities, but they also bring increased risk. Keeping everyone current through short web-based updates, ‘brown bag’ discussions or mini-workshops are all ways to make sure your company grows and prospers in the age of cyberspace.”
How L&D Can Lead the Way
IT, legal and other executives, Pendergast points out, don’t typically have the understanding of adult learning principles that L&D leaders have. That’s why it’s important for learning leaders to work with the executives in charge of cybersecurity to use such concepts as spaced repetition to improve their awareness efforts.
Instilling security practices throughout the talent management and development process is another way L&D can lead the change in creating a cyber-secure culture. For example, Gene Fredriksen, chief information security strategist at credit union PSCU, recommends making security part of every employee’s performance review. “Of all the programs you can implement to improve the security of your organization,” he adds, “nothing has a greater return on investment than training and cultural awareness.”
Providing training to middle managers is also important. According to Michael Fimin, co-founder of Netwrix, since they are the ones who work with business users directly, they “play a big part since they can control how their subordinates follow the policies.” Make sure they understand cybersecurity policies, why they are in place and how to follow them.
The easiest way to know your organization has a high level of risk is when you get hacked. But, of course, it’s important to be able to measure risk before your company lands on the front page of the newspaper. “One of the truths in this industry,” says Pendergast, “is that it’s really hard to quantify the level of risk that is associated with human behavior.” However, he says, “the mission of LearningLAB is to quantify the nature of human risk that exists in your enterprise and to provide really targeted training” to reduce it.
Along with other training measurement strategies you already use, simulated phishing exercises are one way to evaluate cyber-risk in particular. Send a fake phishing email to employees, and see how many people click. Use that information as one risk metric and a way to target phishing training.
In their contribution to the book “The Cyber Risk Handbook,” James Kaplan and Jim Boehm of McKinsey recommend measuring both leading and lagging indicators, using objective metrics in addition to subjective metrics, and measuring organizational resilience rather than focusing solely on the cybersecurity team.
Organizational culture is the driving force of a company. Creating a culture that embraces cybersecurity involves leadership strategies, effective training and good measurement practice. By following these tips, your L&D team can lead the way in preventing cybercrime from affecting your organization.