Training & awareness. It’s a tricky topic.
Whenever you read about the top things businesses can do to defend against cyber attacks, training & awareness is often at the top of the list, and for good reason too.
At its core, training & awareness is about educating people on the threats and risks associated with cyber security and how to defend against them. The idea is that once people are aware of the danger and how to avoid it, they can then work more safely.
As a concept this is fine. If I were to say to you “Don’t do this. Do this instead”, you may very reasonably ask “Why?”. So, to approach cyber from this angle is sensible.
However, like most things, training & awareness programs are not created equal. The issues stem from three areas – goals & objectives, delivery and implementation.
Goals & Objectives
When deciding to use training and awareness, you need to establish clear goals and objectives which your program will work to meet. Why does the training exist? What do you hope to achieve with it? How will you measure that?
Saying “so we don’t get hacked” might seem okay in principle, but that’s a very absolute measurement. It also doesn’t help staff – who will be the end users of your training – resonate with it.
Instead, think about what your training will lead to. “So we can implement a password manager”, “So we can track when staff receive phishing emails”, “So we can improve our performance against a clear screen audit” are all objectives that your training can very effectively support.
Goals should not stand still either. Today you might have six goals, all aimed at specific problem areas. In six months’ time you might have six totally different goals. If your goals reflect the current needs of the business you won’t go far wrong, but it might take a bit of work to identify what those needs are.
“Classic” training and awareness is often death-by-PowerPoint. Sit in front of a slide deck and listen as someone reads off them. It isn’t engaging, it isn’t effective and it’s very boring.
How you deliver training should vary. If you’re telling people to use a password manager, consider running a workshop. Have them bring their laptops, have some guys from the IT department on hand, help them install it and get them up and running. You can field questions, see their issues first hand and get them using it right there and then.
If you’re explaining why reusing the same password is poor practice, relate it to something your audience is already familiar with. Break it down into areas that they can easily relate to their personal life. Would they use the same key for their gym locker, front door and their car? Probably not, so why would they do the same on their online accounts?
Get creative! If you’re running a session on why incident response is important, consider running a tabletop exercise. Put them in the driving seat, make the session real and get them familiar with what a breach can feel like. Bring them back, reflect on what they did and then go forward with what could be done differently.
You’re trying to get complex, sensitive topics across. That’s very hard (if not impossible) to do via a slide deck. So make it approachable and accessible.
Almost all training and awareness I see is “fire and forget”. That is, it is delivered once and then not followed up with anything more.
This is a big mistake!
Training and awareness is a continuous exercise. For professionals in cyber as well as staff who are on the periphery, it is constantly changing and evolving. Sitting one training session as part of onboarding and then having nothing more, is not going to instil good working practices.
If you run a workshop, follow it up with a short drop-in session. “How are you getting on with that password manager?”. You can build a positive relationship with your audience, they will feel more supported and you can catch any bad habits early on.
At DPAS, we always work with clients to prepare infographics or “cheat sheets” that cater to their specific needs following sessions. They distil the key points down into a single side of A4 and make it visually appealing and accessible. Some people learn better by visual stimuli, so they for these folks too.
Proof is in the pudding
Finally, take time to reflect on the performance of your own training. Your staff will perform poorly if your training is poor. The Goals & Objectives previously described are for you to measure the success of your training. If you run a password manager workshop, but after the first month nobody is using it, that says something!
Altenratively, consider outsourcing your cyber security services.