Contributed by Edwin Doyle, Global Security Strategist, Check Point Software.
Cyber security training is often cited as integral to business continuity. Research shows that businesses and government agencies, including law enforcement, are prioritizing it. However, there is one aspect of cyber security training that we need to hear more about: What employees think about it. Cyber security training courses are only useful if the trainees get value out of it.
Research on what employees think about cyber security training shows some interesting results. One such study by the University of Massachusetts (UMASS), surveyed 800 respondents from across the US. The study found that while cyber security classes will involve more effective, shorter modules, about one-third of employees don’t find these classes to be engaging and/or memorable. Similarly, a large number of employees don’t believe their organization provides easy access to cyber security-related support and guidance or has a clearly defined process for reporting breaches.
The specific reasons for ineffective training can vary from organization to organization. But, there are some underlying patterns. Here are two of the main reasons why employees feel their cyber security training falls short:
The training is too broad
One problem is that the training program is not specific enough. Unfortunately, some training staff believe a broad training program allows them to cover more material. In some cases, ‘planning fatigue’ can be an issue. Instead of taking the time to provide more in-depth information, the planners will take the less time-consuming path, resulting in a general, high-level training program.
Training that lacks specificity poses a problem because it can ‘turn off’ employees, who otherwise may have been eager to learn best practices and to avoid functioning as the central figure in a successful phishing or ransomware exploit.
The planners and trainers aren’t qualified
To create a cyber security course, you not only need the input of the IT department, but you also need people who understand teaching. If the program is only designed by subject matter experts, the end product may have all the required information but the presentations may fail to make an impression with the employees.
So, what’s the solution? And, how can employees help in getting the program they need?
The most effective way to obtain employee feedback is to conduct a cyber security bootcamp. This involves in-person focus sessions where employees are free to communicate their opinions and experience. If face-to- face sessions are not possible, then surveys or even a suggestion box can be used.
If the program clearly needs improvement, employees should be encouraged to articulate their concerns in a solution-oriented way. For example, if the course wasn’t interactive or engaging, employees can request for management to hire an industrial/organizational psychologist to work with the IT department on course design. I/O psychologists specialize in examining cyber security functions for the different employees working across an organization.
Another suggestion is to perform a gap analysis before creating the training program. This type of analysis helps in determining the skills and attitudes of the employees versus the skills and attitude required for the job. Through gap analysis, the company can learn how to provide more specific information.
Often times, companies fail to follow up with employees. This failure to measure the effectiveness of training can prove costly, especially if there isn’t a reduction in cyber security-related losses. If this is the case, then management can adopt a reward and recognition system. The rewards can range from encouragement and symbolic rewards to tangible rewards (bonus, promotion, etc.)
In Conclusion
Cyber security incidents have increased significantly in the past few years. Recently, cyber attacks on global healthcare organizations have increased at more than double the rate of attacks on other sectors, with a 45% increase all-around as compared to 22% within other industry verticals. In healthcare environments and other ecosystems alike, employees are frontline workers when it comes to preventing cyber attacks. Taking the time to train your employees in a way that is engaging and effective can save your enterprise time and resources in the long term.