How To Approach Training Your Employees & Maintain System Security

Monday, June 7, 2021

Read More

Post Author

Continu IT Solutions

There’s a right way and a wrong way to train employees in cyber security awareness. The wrong way approaches training as a once-a-year or semi-annual exercise in which employees are gathered in the break room with snacks and subjected to a long, or sometimes too-brief, PowerPoint presentation. This method treats employees as a passive audience and inadequately engages them. Done wrong, security training feels more like punishment than an opportunity to teach and inspire employees to be active contributors to their organization’s safety and well-being.

The wrong way also reflects a one-size-fits-all organizational mindset, which fails to take into account that people have various strengths and abilities, and respond differently to a range of methods by which training material is presented. They also have varying security awareness needs depending on their role and level of access to sensitive information within their organization. Another key flaw of the break room approach is that the impact of training gets measured in terms of attendance instead of content retention and behavior modification.

Don't overwhelm your employees with heavy training loads and be surprised when they don't retain everything!

A 2016 study of the effectiveness of security awareness training by Enterprise Management Associates, a leading IT industry analyst, reported that nearly 60% of the companies that provide such training were using less effective methods such as the break room approach (23%) and the monthly security video approach (36%). As a result, organizations tend to be disappointed by statistically low levels of improvement in behavior. That is likely to cause senior executives to dismiss the whole field of security awareness training rather than question the methods by which it is delivered.

When it’s done properly, security awareness training is parceled out in more digestible portions that expose employees to content with greater frequency and variety so it can have a deeper impact. This approach treats training more as a carrot than a stick and is interactive and role-based, making it feel more relevant and worthwhile to employees. And because it’s more challenging, it engages the minds and memories of workers much more effectively than when they are forced to passively sit through a presentation once a year or even at more regular intervals.

Remember the road to success has to start somewhere and small, incremental steps will lead you towards your goal!

Security awareness training never occurs in a cultural vacuum. So it’s advisable that an organization’s risk management department evaluate the organizational culture and adjust the messaging appropriately. For example, an authoritarian corporate environment in which employees are expected to simply follow instructions without questioning how a task fits into a broader context is likely to require more effort to modify an employee’s behavior or default responses to things like phishing emails than a culture that promotes cooperation and critical thinking and recognizes the value of getting managerial and staff buy-in for new initiatives.

How does the security training at your organization compare? Are you spending your time watching what feels like the same video over and over again, or are you giving uninspiring break room speeches to employees who aren't sure what the goal is?

If you're interested in a discussion on how to implement a program that will let you train, test and support your employees, contact us today! We would be happy to learn more about your unique situation and help you improve your organization's security.

Check out the previous post in this series, titled Why You Should Be Focusing On Your Employees Security Awareness


Check out the next post in this series, titled Becoming Less Susceptible To Social Engineering As An Organization