Despite an increased awareness about cyber threats among the general population, hackers continue to prey on people because they believe them to be the weakest link in an organisation’s security. Indeed, recent reports estimate that one in ten employees still fall for social engineering attacks, while other studies cite the ‘human factor’ as the single largest factor behind the continuance of ransomware and other cyber-attacks on UK industry. But effective cyber security training can transform the workforce from an organisation’s weakest link to its most powerful asset. Here we outline eight top strategies for effective cyber security training – both within the workforce, and externally, to suppliers and customers.
1. Make it interesting
It’s often said that to be successful at cyber security, you need to learn to ‘think like a hacker’. Therefore, effective cyber security training should try to recreate the potential situations that people may experience in the real world. For example, you could send fake spam or phishing emails to office workers to see if they would spot potential threats, while senior management may benefit from crisis management simulation exercises, where they learn how to handle pressurised cyber security situations within a mocked-up environment.
2. Make cyber security part of your organisation’s health and safety strategy
Cyber security risks can pose a serious risk to workplace safety, particularly within industrial settings. As an illustration, if a hacker within a food factory was to change the speed of a computer-controlled mechanical slicer, those working with the affected machine could literally be dicing with death. So, to really change attitudes within your organisation, it’s important to highlight that cyber threats are just as important, and indeed interlinked with, considerations about physical safety. Armed with this knowledge, employees may be willing to challenge rule breakers in the same way they would if someone was handling a piece of equipment in an unsafe manner.
3. Understand who does what in the organisation
Before devising an appropriate training programme for your workforce, it’s essential to gain an understanding of the types of work done by each person or team within the organisation, to understand who has the most impact on your corporate systems and data. Armed with this information as part of your cyber security management plan, you can decide on an appropriate level of training to match each person’s level of responsibility.
4. Make it relevant
Almost everybody in an organisation would benefit from basic cyber security awareness, but only key decision makers really need to understand their roles and responsibilities in the event of a serious cyber-attack. Mapping out your organisation’s response to a serious cyber incident is a vital part of incident response planning, and offering training to support each group to carry out their roles effectively should be an integral part of this process.
5. Ensure that training is continuous
Where possible, avoid the temptation to make cyber security training a simple ‘tick-box’ exercise, and instead focus on making the training stick in the minds of your workforce. For example, training sessions could be part of an employee’s induction programme, and then followed with regular refresher sessions. It could even be included as part of an employee’s overall development plan and incorporated into HR assessments.
6. Talk about cyber-attacks in the news
Serious cyber-attacks, like the WannaCry ransomware outbreak in 2017, attract mainstream news coverage and put cyber security firmly into the minds of the general public. So why not capitalise on this, and use such incidents as an opportunity to re-educate your workforce about the dangers of cyber threats, and remind people how to behave in the event of a similar situation.
7. Build security into your supply chain
An organisation’s potential attack surface isn’t limited to its bricks and mortar, and neither should the reach of its cyber security training. Recent reports estimate that up to 80% of cyber security breaches may originate in the supply chain, and as a result, it’s vital to ensure your suppliers treat cyber security threats as seriously as you do. Before agreeing to work with a new supplier, organisations can include compliance with standards such as the Cyber Essentials programme into their contracts.
8. Discuss cyber security with your customers
Customers usually want to know that businesses are doing everything they can to prevent cyber security breaches. Therefore, it’s important to educate your customers about the importance of cyber security and the steps they should take to stay safe online. Many high-street banks set a good example of this kind of education, by warning users about potential phishing threats or social engineering techniques that they may face, and how to avoid them.
Whether you choose to blame them or empower them, it’s clear that your staff, customers and suppliers hold the keys to protecting your business against cyber-attacks. While it’s easy to focus on the technological solutions that can protect an organisation’s networks and data, it’s vital that we don’t ignore this more complicated aspect of enterprise threats, and always remember the role of people in keeping any organisation secure.
Article first publised on www.teiss.co.uk on 08 May