Cybersecurity Training: How Effective is Training?
Cybersecurity training for end users is one of the hottest topics of the last five years, with demand increasing year over year in both the public and private sectors.
If you Google “cybersecurity training” your results list will likely exceed twenty million different sources from a variety of organizations in the .edu, .gov, .org, and .com realms. Everyone has joined in on the trend, but how effective is training?
While there is no shortage of training materials and vendors, there is a shortage of quality training materials out there. Ones that will leave lasting impressions on your employees the way you can remember a great commercial or song for years. When was the last time a memory of your Information Technology security training randomly popped into your head? If you are like me, then this has never happened to you. This is why I think it is important to relook at how we structure training. Here are some common tips that you receive in training:
- Don’t click on suspicious links
- Don’t open attachments from an untrusted source
- Learn to recognize phishing scams
- Make sure your antivirus software is up-to-date
- Patch your systems
Everyone’s cybersecurity training covers these issues, yet the bad guys continue to successfully use basic tricks to fool end users. How is this possible?!
Employees know how to stop cyber attacks, but often fail to apply the knowledge they learned in training. Users fail to recall their training. It wasn’t memorable. It did not lead to a change in behaviors. We need to make training POP. Make training stay with users for more than five minutes. For several ideas on how to make your training stick, please check out https://www.dhs.gov/cybersecurity/tips_for_training.
The other reason employees may make bad decisions is because there is a lack of enforcing standards. How often do users take into consideration that there could be a repercussion for what they are about to do with their keyboard or mouse? How many times a day do your employees stick a finger in an electrical outlet? Hmmm, shocking. Literally. Could it possibly be because they know exactly what would happen?
Restructuring the cybersecurity training format to incorporate the usual training checklist, but also emphasizing the enforcement of standards and including some entertainment, would help employees gain a lasting understanding of cybersecurity. That way, training will resonate in employees’ minds for longer than five minutes after training.