teissTalk: Security awareness programmes – starting from scratch

teissTalk host Geoff White was joined by  Jacqueline Hanson-Kotei, Senior Manager, Enterprise Information Security & Governance, MTN Ghana; Dom Lucas, Head of Security, British International Investment; and Shelton Newsham, Owner/Director, Newsham Business Solutions Ltd.

 

Views on news

 

Hornetsecurity has reported that 33% of companies are not offering any cybersecurity awareness training to users who work remotely.

 

The study also pointed out that this causes security issues because nearly three-quarters, 74%, of remote staff have access to critical data, which creates more risk for companies in this new hybrid-working world. Organisations run security training once a year because that’s the minimum requirement for compliance.

 

However, to develop muscle memory for cyber security, your employees need much more than that. Run training programmes which are fun and engaging, which will generate partnership and ownership a well. Gamification and competition can enhance engagement and improve outcomes.

 

Long, comprehensive trainings or short one presented in small chunks

 

Generally speaking, small chunks can work better, but the situation is a bit different with onboarding, where every new employee need to get a baseline security induction. However, the nature and the level of the training also depends on the activity of the company.

 

But no matter where employees are in the hierarchy, training on phishing or vishing is relevant for everyone. Training provided for privileged users is a key area. Training also need to get tailored to senior executives’ needs, as well as their personal assistants and support staff, as they are the primary targets of malicious actors. 

 

Employees may feel that they are too busy to do a 45 minute training every year but will be happy to fit in a couple of minutes every month, which can add up and bring better outcomes. As for metrics used to assess security training, clickrates on phishing emails can be a metric to go buy, but may not be enough in itself. A typical mistake here is focusing on what the security team want to do rather than what they want to achieve. If you’re ISO 27001 certified, that will help you put the proper metrics in place. Getting feedback from participants on what went well and what caused difficulties can also be very helpful in shaping and tweaking training programmes. 

 

What you should aim for is for cyber security becoming second nature to your people the way fastening seatbelts has become natural for drivers. Hard metrics should be looked at and regarded as a baseline but they are not the be-all-end-all.

 

The panel’s advice

 

Deliver training in small chunks, use a competition format and put in some reward too. But make sure you remain consistent.

 

Different departments (finance, marketing, etc) need to be targeted with security training in different ways.

Give new employees some tools to start, which they can build on later.

 

If you go for training in small chunks, make sure your message is clear, simple and punchy.

 

Create a security environment which is about reward rather than punishment.