What’s the secret for better cybersecurity? TRAINING.
What, you want to know more? OK.
Training the right way
There’s a right way and a wrong way for IT companies to do user training. The right way is to get employees to care about network security and develop habits that will stick with them, whether they’re using cloud services or on-premises systems. The wrong way? Well, there are lots of wrong ways to train people. Let’s get a few of them out of the way.
- Making it something everyone has to do and then forget about. A lot of bad employee training courses are like this. People learn to give the right answers. It doesn’t matter why they’re right; giving them shows you’re allowed to get back to work. “Giving the approved answer 101” is a worthless course.
- Treating the course as punishment. This is more a matter of how people are assigned to take the course than the material itself. If employees have to take the course only after they’ve been caught making a mistake, it becomes a form of detention. Everyone should take the course, preferably before they make dangerous mistakes. Even the CEO. Especially the CEO. Who do you think is the top target?
- Insulting the employees’ intelligence. When the trainers know all about how to motivate employees but nothing about computer security, it shows. No matter how many clever illustrations and games they come up with, a course without useful content is a waste of everyone’s time.
What training aims for
What’s the right way, then? The best way to answer that is to think about what training is supposed to accomplish. Here’s a common scenario. An employee gets an email that says, “URGENT! Your access is being suspended for security reasons. To reinstate it, please click on this link and enter your username and password. Take care of this right away so you won’t lose your access to cloud services.”
The untrained or badly trained employee will think, “Oh-oh. I’d better deal with this right now.” They’ll proceed to click on the link and give away an important password.
With a well-trained employee, certain habits will kick in immediately. They’ll think: “Someone wants my password? Who? Why? What’s so urgent about it? I’d better be careful here. I can ask my boss or IT support if this is something I should really do.”
“Habit” is the key word. It’s not enough to learn the right security practices and be able to recite them. They have to come to mind automatically when they’re needed.
How to develop security-oriented habits
To instill cyber awareness habits, training has to be a matter of doing, not just listening. It has to present realistic examples. They have to understand what can happen when things go wrong. Knowing how embarrassing it would be to stupidly unleash ransomware on the whole company can be a more powerful motivation than the threat of termination.
This doesn’t mean the training should consist of nothing but boring exercises. Good trainers know how to keep people engaged and instill good habits at the same time. If people don’t care, they won’t learn.
Training can’t be just a one-time thing that’s separate from work. Follow-up to make sure people do what they’ve learned is a vital part. It isn’t just a matter of making sure the employees have learned well. It’s a matter of making sure the trainers have taught well! If people don’t learn, blaming them doesn’t accomplish much. Finding a better way to teach them is the point.
To keep good habits up, keep employees on their toes. Send out an occasional phishing email to your own people. Have it lead to a page that says, “Congratulations! You’ve just installed an evil virus on your computer! Not really, but …” Find out who clicks on the link, and have their supervisors talk with them.
Making one mistake shouldn’t be a big deal, but if an employee repeatedly messes up, it’s necessary to do something. Extra supervision for a while may be enough. In extreme cases, the only answer may be to restrict the person’s access or move them to a position that doesn’t require as much responsibility.
Courses can’t just be a one-time thing. The threats companies face keep changing. People forget if they aren’t reminded now and then. Follow-up training once a year will help people to stay aware that there are nasty people out there who would love to get into the company’s systems.
At Kotori, we do user training right. We’ll help your employees to learn what they need to know and develop the habits to keep your business safe. Get in touch with us to learn how our training can fit your company.