Contributed by Edwin Doyle, Global Security Strategist, Check Point Software. 

EXECUTIVE SUMMARY:

Cyber security lessons are the need of the day, whether we talk about IT and financial services or other industries, like manufacturing and health care. But, despite the importance of cyber security, we see that there’s been a notable increase in successful cyber attacks in recent years and human error seems to be a big factor in the breaches.

Sometimes, the employees fall for tried-and-tested methods, like phishing emails: for instance, in 2016, an attacker pretended to be the CEO of Snapchat to trick a company employee into emailing them payroll information. On other occasions, employees may just not be paying attention: a healthcare center in the UK revealed the private information of several hundred patients by accidentally entering their emails to the “to” field, rather than the “bcc” field; which begs the question for a different blog post about reducing the attack surface… why do employees have the admin privileges to cause damage in the first place? (Stay tuned for that one.)

Regardless of the reason, a question that employers have to ask themselves is whether or not their cyber security awareness program works. And, if not, what can be done to make the training modules memorable and actionable?

Three main reasons why employee training doesn’t work

  • It isn’t planned properly
  • It isn’t personal
  • It isn’t engaging

Here are some ways you can break down complex ideas to make the training stick:

Provide context

After you’ve planned a cyber security learning program that focuses on your target audience, the next step is to explain the relevance of the content to your employees. There are different ways in which trainers approach context. When explaining a solution, instead of simply giving the problem followed by the solution, the teacher can focus on making it about the audience.

For example, instead of saying that “all employees should consult with their supervisor before releasing sensitive information,” the instructor may say something like “phishing emails were the most common cyber security threat we encountered this year. By double-checking with a superior, each of you can reduce the chance of a successful attack by 95%.”

Share a story

Using a story as an example is another effective way of communicating context. Sometimes, the intended message gets lost in technical terms and monotonous presentation slides. A story can break this pattern, grab the attention of the listener and create something memorable for them.

When creating a story, start by making sure that it’s relevant to the course. Having small, humorous anecdotes helps to maintain a good atmosphere, but a story should also be connected to the course objectives. Besides relevance, it’s useful to have a problem-solution structure, a hook to rope in the audience and visuals that complement the text.

Use visuals

There are many reasons why visuals make sense in a training course – for visual learners, infographics, tables and charts can help in understanding things faster and recalling information better.

The appeal of visuals goes beyond learners who prefer them. Visuals help in bringing out the meaning in our words. For example, if you’re educating employees about a change in direction, visuals can help in showing that change.

Make it interactive 

Some employers think of cyber training classes as a way of testing employees instead of engaging them. The presentation may contain many informative slides, but it may not serve the purpose if the course takers are just spectators.

These days, there are many ways of easily making courses interactive, including online exercises and quizzes, security awareness challenges, and point systems connected to the successful completion of tasks.

Make it ongoing and evaluate the performance

Training programs should be more than something that’s done once per employee or once per year to meet compliance standards. A cyber security bootcamp isn’t only about verifying whether or not employees have learned something – it should be about communicating the uses of what they’re learning.

Finally, evaluate the implementation of your program by simply asking employees for their opinion. Create a survey that allows employees to stay anonymous and ask for their opinions at different time intervals after the training.