5 Cyber Security Awareness Training Essentials

Last week, my 9-year-old son brought home materials on digital citizenship and cybersecurity, and proceeded to tell me about the dangers of clicking on links or opening attachments from strangers. When he noticed that I hadn’t installed an update on my iPhone, as evidenced by the red circle on the App Store icon, he called me on it. If elementary schools have been able to incorporate the importance of applying software updates and phishing-awareness into their curriculum, should workplaces be doing any less?

It would be easy to become numb to the almost daily data breach headlines, submitting to a sense of inevitably. It is also tempting to rely exclusively on technology tools, technology departments, or others to protect us from cyber threats. In risk management, these strategies would qualify as acceptance and transference respectively; neither are viable options for accountable organizations.

October is National Cyber Security Awareness Month, an annual campaign to raise awareness about the importance of cybersecurity. While effective education on how to avoid being caught in the web of cyber deceit is ideally perpetual, this month presents a perfect opportunity to bring the topic to center stage in your organization.

Here are five ideas to get you started:

1. Launch the awareness campaign with a message from senior leadership that reinforces the importance of cybersecurity vigilance and the value it holds for staff, customers and the organization.

• Tone from the top is powerful, and having this message come from a department other than IT is ideal.
• Consider sharing (where possible) incidents or close calls that have taken place over the past year, either internally or externally, driving the ‘why’ behind cybersecurity home. Alternatively, create a fictional 'what if' scenario and use a story format to paint a post-breach picture.

2. Remind staff about your organization’s acceptable use policies.

• Highlight recent changes to the policy and the rationale for making the changes.
• Consider having staff sign off that they have reviewed and understand the policies annually. Add a brief web-based quiz to the sign-off process to help identify areas that staff find confusing and where further training may be called for.

3. Train staff on the latest ways to stay secure in the workplace, and at home.

• Conduct periodic engaging training throughout the year live,via webinar or through e-learning.
• Leverage high quality, free training resources. Check out: (i) Stop. Think. Connect. (ii) Lock Down your Login and (iii) National Cyber Security Awareness Month

4. Test staff on their understanding of the content provided through simulations.

• Platforms are available enabling companies to deploy their own simulated phishing campaigns. Many include reporting that can be used to measurably demonstrate effectiveness (i.e., ROI) of training on actual user behavior over time.
• Note: it is important that simulations are done with an educational versus a punitive intent, and that the human resources department is consulted prior to launching.

5. Ensure staff know exactly how to report incidents and suspected incidents.

• Consider implementing a ‘one click’ phishing reporting system. There are buttons that can be added to Microsoft Outlook, for example, essentially allowing suspicious email to be escalated to the IT department for analysis in one click.
• Create a dedicated incident reporting email box and/or extension that is regularly monitored, and well publicized throughout the organization.
• Keep the information security team visible and approachable, making it more likely that staff will come forward with risks. Staff who accidentally trigger a cyber situation may not report an incident out of a fear that they could lose their job.

An engaged, aware and educated user population is an incredibly powerful force to complement your technical cybersecurity defenses; invest time in developing their capabilities today.