Organisations are facing increased threats from cyber attacks, and employees are often the weakest link in their defence posture. As much as you might hope that common sense would prevail, the reality is that best practices can often go in one ear and out the other. Employees who aren’t properly across cyber security can often inadvertently open the doors of the organisation to an attack.
As cyber attacks become more prevalent and sophisticated, it is increasingly important for organisations to build their defences from the inside out, beginning with employees. Employee training in cyber security is a critical and necessary step for organisations to take. How do you engage employees from all departments and levels to learn about cyber security, a threat that can feel so far removed from their day-to-day role within the business?
Raising employee awareness of cyber security needs to shift from reactive to preventative, with more regular measures taken to update staff on best practices and risk assessment. A survey from IT industry association CompTIA found that businesses are pursuing a variety of methods for improving their security capabilities, including offering security training (37%) and certification (28%) for current employees.
Depending on an organisation’s culture, employee training may take different forms, from online courses to incentivising employees through the practice of “gamifying” cyber security education.
‘Gamifying’ cyber training
Designed with elements of friendly competition and reward, gamification programs that use gaming mechanics in a non-gaming context are becoming popular across a number of industries as a more approachable and engaging means of teaching cyber security practices.
Many organisations already use gaming elements, including one-on-one competitions and rewards programs, in other business areas. Organisations can extend their use of gamification practices to address cyber security by revitalising training programs so they are more exciting and engaging for employees, regardless of their technical know-how or background knowledge.
Global consulting firm PwC, for example, teaches cyber security through its Game of Threats wherein executives compete against one another in real-world cyber security situations, playing as either attackers or defenders. Attackers choose the tactics, methods, and skills of attack, while defenders must develop strategies and invest in the right technologies and talent to respond to the attack.
It’s a playful approach but an effective one insomuch as it gives executives an understanding of how to prepare for and react to threats, how prepared the company is, and a respect for what their cyber security teams face each day.
Gamification can also take the shape of offering rewards and incentives to employees. Given that most breaches are the result of human error, such as opening a phishing email, companies should reward those employees who follow security procedures and adhere to good cyber governance, which will further promote good behaviour.
The aim in all of this is not to single people out, but rather to build a culture of cyber awareness, through a healthy rivalry across the organisation, instead of creating scare tactics that leave employees feeling demoralised and unmotivated.
Upskilling with courses
Education is a cornerstone to understanding any new or emerging field. Security awareness training is no different: at the heart of any cyber security training within an organisation is educational programs to teach employees more about their data and device responsibilities.
Coordinating regular “lunch-and-learns”, implementing regular training videos, and arranging hands-on training activities should all become part of ongoing initiatives to drive an effective cyber security education campaign.
For employees who perhaps require or are interested in receiving a more in-depth approach to cyber security, enrolling in a course is perhaps the best option. Online courses are a great option for time-poor executives looking to cover the basics of cyber security without having to interfere with their personal or professional lives. RMIT Online recently partnered with Palo Alto Networks and NAB to offer a cyber security course that aims to arm all levels of an organisation with a fundamental understanding of good cyber governance to help prevent and mitigate breaches.
By encouraging employees to enrol in a course like this, they can walk away with an understanding of security risks and can then make informed decisions for their key stakeholders. Furthermore, learning new skills, particularly in an area like security that’s bound to continue impacting work and personal lives, is a tried-and-tested means of advancing one’s career path.
Upskilling is an invaluable tool to help people grasp new concepts while also improving their future job prospects. There are a number of different options within the education space, from covering employees’ expenses to enrol in online courses at credible universities like RMIT Online to internal training programs, that can be put into place to ensure employees are receiving adequate training.
A sustainable security approach
Perhaps most critical to ensuring employees are across cyber processes is taking a top-down approach. An organisation’s leaders should lead by example and embrace a cyber-secure culture to inspire employees to do the same. After all, if the C-suite doesn’t appear to take cyber security seriously, why should anyone at the company?
Eliminating cyber risks in any business is an ongoing process, but it can be managed. The best way to figure out how to make cyber security practices resonate with employees is through trial and error. Learn from what works - or what doesn’t work - and reassess your company’s training tactics as needed.
We need to foster a way for employees to call out where they question something and re-educate as needed. If employees walk away from the security awareness program questioning before they click on something malicious, you have moved the needle towards being more secure.
Sean Duca is the VP & regional chief security officer of APJ at Palo Alto Networks.