As we move into the second half of Cyber Security Awareness Month, it occurs to us that – for many organisations – a nagging question lurks: what actually is cyber security awareness?
This is an unspoken question at the heart of the annual event, which is organised in collaboration with governments and private sector organisations to educate people on the steps they can take to stay safe online.
What does it mean to stay safe online in 2022? So much of what we do in our personal and professional lives occurs over the Internet, and rarely do we think about the information security threats that we face.
Yet, it’s something that we absolutely must do. According to Verizon’s 2022 Data Breaches Investigations Report, 82% of data breaches were the result of human error.
This includes incidents in which employees expose information directly (for example, by misconfiguring databases) or by making a mistake that enables cyber criminals to access the organisation’s systems.
The importance of cyber security staff awareness
An organisation’s staff are essential to its day-to-day operations. They represent the business, deal with customers and handle sensitive data.
If they fail to adequately protect that information or violate data subject rights – which are protected by the likes of the GDPR (General Data Protection Regulation) – your organisation faces myriad problems.
This includes regulatory action and potentially sizable fines, as well as long-term reputational damage. And if customers and other stakeholders don’t trust you to handle information responsibly, they may well move to a competitor.
Meanwhile, depending on the nature of the data breach, you could suffer various forms of disruption. For example, should an employee falls for a phishing scam, their accounts could be compromised and the attacker may target other members of staff.
Similarly, employees with poor password practices could jeopardise the security of their accounts or the confidentiality of sensitive files.
Although there are technologies that can mitigate the risk, you are ultimately reliant on employees to use them appropriately and to avoid mistakes that undermine the security practices you have in place.
Cyber security training is the most effective way of educating employees on the risks they should avoid and the steps they should take if they are unsure about what to do in certain scenarios.
Cyber security awareness best practices
An effective staff awareness programme should complement the way people work rather creating rules that hinder employees’ ability to get their jobs done.
The objective is to support them in obtaining the skills and knowledge required to work, and knowing when to raise any concerns.
So what do you need to know?
- All employees at every level of the organisation should receive training
No one is immune from mistakes or from being targeted by scammers. In fact, senior employees are proportionally more likely to be targeted by scammers (with the likes of business email compromise schemes) because they represent higher-value targets.
- Training should occur multiple times a year
Staff awareness training must be performed regularly to ensure that the knowledge is embedded.
To demonstrate the importance of this, a study presented at the USENIX SOUPS security conference found that employees who went six months or more without phishing awareness training become increasingly likely to fall victim to scams.
- Consider how your employees work
What are your employees’ workflows? What obstacles do they face when performing certain activities?
Knowing the answers to these will help you understand the types of awareness training they need.
To help you do this, you should ensure people with knowledge of the local working environments are included in creating cyber security policies. These are the day-to-day rules that employees should follow in addition to the guidelines outlined in your awareness training courses.
- Don’t be overly critical when employees make mistakes
It’s tempting to strongly reprimand anyone who makes an error despite receiving awareness training. However, experts warn against this; employees are rarely motivated by fear, and it will make them less likely to report mistakes when they occur.
So although you should be strict about employees taking awareness training – and ideally these courses should come with tests to ensure that staff have understood the content – you should use errors as a learning experience.
- Look for ways to complement staff awareness training
There are also things you can do in addition to training courses to boost your staff’s understanding of cyber security.
You might consider placing posters around the office (if you are still office-based) or creating email signatures containing security tips.
Likewise, pocket guides, presentations and learning nudges provide additional ways to bolster your staff’s knowledge of cyber security.
Implementing cyber security awareness training
Here are seven tips to help you get your cyber security awareness programme started:
1. Consider your requirements
When it comes to staff awareness, the ‘one-size-fits-all’ approach isn’t appropriate for all organisations.
For your staff awareness training programme to succeed, you’ll need to first consider the diverse needs and culture of your business and tailor the training accordingly.
2. Set metrics for success
Before you implement a staff awareness programme, you need to ensure it can succeed and decide how to measure that success. This means you must decide on the metrics you will use and take measurements to determine a benchmark before you start.
3. Be thorough
Staff awareness training for the GDPR does not mean simply briefing your employees about the Regulation. Instead, it should comprise a thorough programme that ensures all employees understand your organisation’s practices and procedures for processing personal data.
4. Engage your staff
Engaging staff training is critical to your programme’s success. Incorporating thought-provoking activities will give your staff a clear understanding of the key changes introduced by the GDPR and the requirements that will affect their day-to-day work.
A common technique to make security awareness programmes more engaging for participants is ‘gamification’, which uses behavioural motivators taken from games such as rewards, competition and loss aversion.
5. Focus on behaviour, not knowledge
To change their behaviour, employees need to understand how the content applies to them in their everyday roles.
To bridge the gap between knowing and doing, it’s essential to provide your staff with context for what they are learning and realistic examples they can follow. Doing so will help foster a much-needed cultural shift in which security becomes a part of everyday operations.
6. Time it right
There may be an urgent need to train your workforce, but this doesn’t mean your awareness programme should be deployed in haste. Instead, consider a phased rollout, allowing you to meet some immediate requirements, after which you can refine and improve the programme.
7. Play the long game
For long-term success, your staff awareness programme should be an ongoing process that begins at induction and is reinforced by regular updates throughout the year and/or whenever staff-related security incidents occur.
Choosing a staff awareness training provider
Creating a staff awareness training course from scratch is a tough task, which is why many organisations choose to outsource the process.
The courses should cover a broad range of topics, including general information security best practices, the threat of phishing and GDPR compliance.
If your organisation is among those moving to remote working on a part- or full-time basis, you should also consider training courses that look specifically at the threats of home working.
IT Governance understands the importance of these courses, which is why we have included them in our Complete Staff Awareness E-learning Suite.
This package contains all nine of our e-learning programmes, which when combined with your continual awareness campaign will boost your employees’ understanding of a range of topics.
And as an annual package, you can roll courses out throughout the year to keep staff awareness as a central part of your business while avoiding the risk of overloading employees with too much training in one go.
A version of this blog was originally published on 27 May 2021.