(844) 627-8267
(844) 627-8267

Your cybersecurity compliance training isn’t working | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Yes, I’ll say it: Your cybersecurity training isn’t working,

For the past 10 years you’ve probably been clicking module after module in your employee training program on topics such as “Insider Threat” “Preventing Phishing” and “Securing Your Data.”

I’m not going to say these topics are not important. Quite the opposite. The training is vital to your organization and, when properly implemented, can significantly reduce the potential of data loss, cyberattacks or data exploitation.

Although simulated phishing attacks and trainings have become common, the data doesn’t lie: Successful cyberattacks against organizations continue to rise year after year.

It’s likely your training has made an impact, but now the real question is: Is it making enough of an impact? Does the leadership in your organization feel strongly that you have done enough to thwart a security incident?

Earliest cybersecurity training programs emphasized low-hanging warnings, such as encouraging employees to spot the misspelling of common words, grammatical errors or misaligned corporate logos. Training would expand, reminding individuals to look at the domain name of the sender, making sure it appeared legitimate.

Laudable as these efforts may be, they fall short as there are plenty of had actors with grammar and spell-check tools as well as the ability to quickly purchase a domain name.

Look at the ‘why’

As with any training program, it is critically important to begin with the why.

Despite IT security professionals expressing the importance of security, there are still employees in most organizations who believe the protection of corporate data is the responsibility of someone else within the organization.

Some organizations have taken the approach of teaching good cybersecurity practices not from the vantage point of the organization’s benefit but instead of how it can improve an employee’s individual security posture.

In other words, if I teach you the importance of backing up family photos when you have only one copy of them, you may be more engaged in executing these practices than if I remind you why the company needs you to back up a work document.

Security training programming cannot live in a vacuum.

Certainly, there is an important compliance aspect for many industries that must be achieved. We need to validate that a module covering x-y-z is completed and logged as successful.

Now, the trick is to make sure that the training is not simply “checking a box.”

One local organization, Cybercade, saw an opportunity to incorporate gamification into the cybersecurity education cycle by creating an immersive and interactive storyline.

Instead of a simple PowerPoint presentation with a quiz at the end, the solution awards points to your character based on you accomplishing learning objectives.

Points to look at

Despite the road map used, it’s of critical importance that your cybersecurity training programs start with the basic and foundational aspects. We cannot start to explore detailed subjects when foundations are not covered.

Ensure that terminology and training are aligned for your audience. Emphasize the importance of the shared responsibility of protecting the environment.

Specific topics that can be included:

  • What data can be accessed remotely from the office?
  • How to use your corporate VPN when working from public Wi-Fi such as a hotel, coffee shop, or airport.
  • How to ensure your firewall or antivirus programs are functional.
  • Ways to report suspicious activities.
  • How to protect and establish your password.
  • Thinking about how and where we store devices.

Ongoing training

Finally, to make sure training sticks, ensure that it is not a single touch point.

Incentivize training and reward positive behaviors, versus only requiring training on the Jan. 1 date when eight other compliance modules are assigned.

Protect the integrity of the training by ensuring that it is embraced at all levels of the organization and embraced at the top.

Allow the training to be ongoing and facilitate active dialogue to reinforce key concepts throughout the year.

Taking a team approach to cybersecurity is critical. These initiatives need to be led across organizations and should not be on the shoulders of any one individual or department.

When there are cybersecurity threats, incidents or concerns, there must be avenues to report and address these in supportive and constructive ways.

There are few things worse than an individual making a mistake and then being afraid to ask for help. Cyber incidents quickly turn into avalanches, and early reporting is critical in protecting your environment.

Dan Tuuri is a corporate trainer at Involta in Cedar Rapids and a board member of SecMidwest, a Cedar Rapids-based nonprofit focused on cybersecurity education, SeMidwest.org. Comments: [email protected]


Click Here For The Original Source.

National Cyber Security