The importance of cyber training for remote workers
Staff are your first line of defence
Training is like a secret super weapon for cyber security. But it gets overlooked. Good training is engaging, and it brings people into the problems that you're trying to solve. You could have all the technical controls and powerful cyber defences, but that can all be undone by one person clicking a link.
Humans are really the first and last line of your defence, and training is how you secure them.
Watch one of our experts explain the importance of cyber training in this video:
Securing remote workers post covid
Organisations had to swiftly transition to employees working remotely, and this has introduced a new set of risks from a cyber security perspective. From personal devices being used to connect to the corporate network down to the deployment of patches through the limited bandwidth of VPNs, IT and security teams have had their hands full adapting processes on sometimes completely untested ground.
Cybercriminals also took advantage of people’s fears to launch themed attacks, carefully engineered to exploit the fear that the public had during the pandemic. From phishing emails pretending to be from the WHO to ransomware attacks delivered through fake Covid 19 information apps, threat actors exploited the global crisis to make a profit.
Considering these new threats, cyber security training has become even more crucial to IT security. But not all training programmes are easily deployable to a remote workforce. Here are a few tips for organisations looking to harden their security posture through training.
Flexible, cost-effective and scalable: e-learning
Particularly useful with a remote workforce, e-learning is not only scalable and easily deployed to the entire organisation, but it also produces better learning outcomes. Studies have shown that employees take between 40% and 60% less time to learn the same material when following a course online, as compared to the time it would take them to learn it in a classroom setting. With online programmes, employees are able to fit training sessions around their day and proceed at their own pace, without interrupting their workflow.
In fact, after deploying an e-learning programme with its employees IBM found that without increasing the time spent on the training, employees were learning as much as five times more material than they did when following the same course delivered in a classroom or with physical manuals.
Online learning is also a good way to monitor what stage of the training employees are at and allow organisations to follow up with workers that are behind with their assigned learning objectives.
Security training shouldn’t be a tickbox exercise
Each training solution has its merit, but there is one thing that will significantly improve the efficacy of any chosen programme: frequency.
Unfortunately, many organisations approach cyber security awareness training as an item to tick off their compliance list, and limit themselves to a single, class-room based session. Worse, some provide employees with a print-out of the best practices to follow, a list of potentially harmful websites, and nothing more. In fact, as of 2018, of the 45% of organisations that were providing formal security training, only 10% were doing so monthly or quarterly, and 9% were only training employees as they joined the company.
Whilst it is impossible to reduce the risk of a human error causing a security compromise down to zero, repeating awareness training can certainly reinforce the message. By holding regular training sessions, organisations can also better prepare employees for the latest threats and newly discovered malicious campaigns.
Is it specific to the nature of the organisation?
Training programmes are most effective when targeted to the specific sector or, better, the specific organisation, they are aimed at.
One thing that we found to be particularly effective is to show employees what a hacker would see, effectively asking them to put themselves into the shoes of an attacker to anticipate their moves and to act with the risks in mind. By learning to think like a hacker, users will be able to recognise specific instances that require them to proceed with caution, but they will also learn how to think with security in mind in a broader sense and apply cyber hygiene best practices to all operations.
Is it skill specific?
It should go without saying that cyber security training needs to be skill specific. Naturally, assigning the IT team a multiple-choice quiz on how to spot a phishing email is likely to leave these technical and tech-savvy employees bored, if not annoyed. Similarly, overly specific and jargon ridden exercises are likely to alienate less tech-minded individuals.
Rather, exercises should be appropriate to the level of knowledge of the employees they are aimed for, ensuring that they are the right amount of challenging, easy to follow and – most of all – memorable. Naturally, all employees should still complete a training programme that includes all the essentials, with modules adapted to their technical level. In addition, training should be aligned to the way that each particular employee group absorbs information. For example, techies love to get hands-on, and training that isn't suited to their learning methodology can lead to boredom and frustration.
Invest in training while your employees are working from home
Making an investment in cyber security may seem inconvenient, given how the world’s economy is slowing down and budgets are harder to obtain – even more so for something traditionally hard to measure in terms of return on investment. However, the heightened risk of a security compromise means that all organisations, even those who have run cyber security awareness training programmes in the past, should consider hardening their defences at the user level.
Cyber criminals have already made it clear that the lockdown not only hasn’t affected their operations, but has opened up a window of opportunity they are not going to waste. As organisations’ defences are put to the test by a new mode of working, cyber security awareness training is perhaps the simplest, most scalable and easiest to tailor solution that can be deployed to bolster their security posture.
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.