by Darren Mott, The Cyber Guy
According to a recent article at Help Net Security, 1 in 3 employees don’t understand why cybersecurity is important. Every company regardless of size must decide how they are going to approach cybersecurity training. The constant evolution of cyber threats from criminal cyber actors to nation-state cyber actors to insider threats, has created an environment where there is no possible “one-size fits all” formula. The standard methodology for training options for most companies is to do a one-time annual training session, usually via self-paced PowerPoint presentation that employees can quickly click through and that was likely unchanged from the previous year’s version. Most current cyber threats are not just focused on targeting companies, but also on individuals. The rise of work from home scenarios caused by the COVID pandemic has made it easier for bad cyber actors to find and exploit new networks and new sources of information and intelligence. Thus, a new paradigm is needed to address cybersecurity training and awareness.
How should a company address this needed change? Fortunately, that answer is simple and does not have to cost a lot. Cybersecurity training needs to be regular, short, and personal to the employee to keep them engaged. I hear you saying, “What exactly does that mean?” As a former teacher and retired FBI Special Agent who spent 20 years investigating and managing cybercrime cases and conducting training for hundreds of companies, the answer I have come up with is very simple. It looks like this:
- Change the annual cybersecurity training and awareness from once per year to monthly;
- Keep the training modules short and succinct (15 minutes max);
- Split the topics between those important to the company (eg. Social Engineering, insider threat, Business Email Compromise etc…) and those important to the individual (securing home networks, online romance scams, protecting kids, etc…);
- Reduce PowerPoints and focus on anecdotal based case studies.
What are the advantages to this approach? Even at only 15 minutes per month the employees will stay engaged in cybersecurity issues and will be more likely to identify potential cyber threats when they occur, either through the corporate network or at home. This increased awareness will lessen the cyber risk to both the company and the employee. The employees will be better educated to a variety of cyber threats, including new ones as they arise as the monthly training can be based on current events. This training also does not necessarily need to be expensive. There are certainly expensive models available, but those are scaled to large businesses.
The biggest concern to small and medium sized companies should be that cyber actors are coming your way. It is inevitable that all companies at some point will need to address a cyber issue of some type. In my experience in the FBI, most of all cyber incidents began through some form of targeting of employees through social engineering. By understanding that your employees are your first line of defense and by providing them with regular, consistent, and meaningful training, you can reduce your chances of being a bad cyber actor’s next victim.
If you’d like more information on this or recommendations on starting with this new type of training, feel free to email me at firstname.lastname@example.org, follow me at linkedin.com/in/darrenmott to check out one of my podcasts, The CyBUr Guy Podcast or the Get CyBUr Smart Podcast, available at all podcast outlets.