The pandemic transformed much more than the way we work. It spurred a digital transformation and facilitated the creation of remote and hybrid workplaces — but it also made us more vulnerable to cybersecurity threats.
Remote working, in particular, is proving to be a challenge when it comes to complying with cyber safety company policies. When working from their homes, it’s easy for employees to let their cybersecurity awareness slip and fall back into bad habits. This leaves companies exposed to more cyber threats and attacks than ever.
The solution? Doubling down on cybersecurity training.
The state of cybersecurity training today
Most companies already offer cybersecurity courses to their employees. But according to a recent survey conducted by TalentLMS and Kenna Security on employees’ awareness and knowledge of cybersecurity risks, these courses are not as impactful as they should be.
Out of 1,200 American workers surveyed, of which 69% had received cybersecurity training by their companies, 61% failed to pass the basic security quiz that they were asked to complete.
The survey also uncovered some further troubling habits of employees today:
– 34% of employees who have received cybersecurity training still store their work passwords in plaintext. That’s compared to 16% of employees who also do this but haven’t received training.
– 60% of employees who have received cybersecurity training still use public WiFi to work, compared to 52% of those who haven’t.
This apparent ineffectiveness of cybersecurity training programs has very real consequences. Ninety percent of companies have faced an increase in cyberattacks due to the pandemic and the transition to remote work. To turn this around, companies need to focus on building a cybersecurity training program that’s engaging, impactful, and creates better daily habits for their employees.
5 steps to an effective cybersecurity training plan
For employees’ cybersecurity awareness to increase in a consistent and impactful way, they need to remember what they learned during training. Furthermore, they need to be able to constantly apply that knowledge. Here are some best practices for creating an engaging and effective cybersecurity training plan for them:
1. Regular audits
The first step when designing a cybersecurity training program is to conduct regular internal audits. These will help you assess your current vulnerabilities. Most of the audit includes checking workstations, whether remotely or in-person: Search for non-compliant software and assess if the password management tool is being used properly.
You can also ask your employees questions on company security policies or standard operating procedures. Checking if a clean desk policy is being implemented is also important. Go around the office occasionally and check whether your employees have sticky notes with sensitive information and passwords on their desks.
The point of regular audits isn’t to penalize employees for wrong answers or infractions, but to create teachable moments, anchored in real-life experiences. It also helps you reevaluate your training plan by spotting where your staff fails to comply.
2. Hands-on, relatable cybersecurity courses
One of the biggest roadblocks to the efficiency of cybersecurity training is that the language tends to be crammed with industry jargon. This causes information retention and learner engagement to plummet. How can we expect our employees to absorb their training when they don’t understand half the words they’re being taught?
Another issue is that the training can be too theoretical, leaving most employees with the feeling that this doesn’t apply to them or relate to their actual job. In turn, employees don’t apply these learnings to their day-to-day tasks at work.
Successful cybersecurity training needs to be hands-on and practical, using simple language and real-life examples.
This will ensure that employees are more likely to remember what they are taught and apply it when a real cyber threat occurs. Don’t forget that cybersecurity skills are practical and not theoretical.
3. Continuous cybersecurity training
As with all employee training, cybersecurity training should not be a “one-and-done” offering. Repeating it at regular intervals both helps employees retain information and ensures you’ll be up to date as cyber threats evolve and become more and more sophisticated.
One way to do that is to utilize microlearning — break training down into smaller, more digestible units. According to 38% of the respondents in the TalentLMS survey, microlearning is one of the key things that would make cybersecurity training more enjoyable.
4. Corresponding company policies
Your cybersecurity training should be an extension of how your company approaches digital safety; it should reflect your policies.
One of the most important company policies you need to implement in order to combat cybersecurity threats is password-related. Your password policy should indicate to employees that the use of a password manager for storing and sharing passwords is the only way to go. Password policies are even more relevant now: A study conducted by NordPass found that the average number of passwords a person has is 100, having increased by 25% post-pandemic. To be as safe as possible, these 100 passwords should be unique and stored in a password manager — something that 73% of employees surveyed by TalentLMS are currently not doing.
Another important company policy to implement is the clean desk policy. Namely, any time an employee gets up from the desk, or leaves for the day, they must tidy up the work area and securely store any sensitive information, from documents and USB devices to cell phones and external drives. This policy may be harder to enforce on a remote team, but it’s not impossible.
At the end of the day, you need your employees to understand the risks and act accordingly.
5. Focus on compliance
Last but not least: Consider following and complying with a standard security framework such as the ISO 27001 information security standard or the GDPR for Europe. That way your cybersecurity training will become part of your compliance training, which will ensure regular security audits.
Cybersecurity should not be treated as just another box to tick
Cybersecurity training is one of the best investments you can make for your company. With damages relating to cybercrime expected to reach a value of $6 trillion in 2021 alone, ensuring your training is impactful and engaging is more vital than ever.