When it comes to cyber security, everyone and anyone is at risk. So, avoiding cyber threats needs to be a company-wide mission, no matter your role. All it takes is one click, one lapse of judgement – so if any employee is not clued up on the latest policies, processes, and general how-to on cyber security, it could leave an organisation open to all manner of threats, from data hacking to theft, argues Emma Doyley.
In the UK this year, 31 percent of businesses reported suffering a cyber security breach or attack at least once per week. One of the best forms of defence is employee training and education, as this is the key to building better behaviours around cyber safety amongst its employees.
The topic of cyber security can often be daunting and intimidating to employees, so it is important that training presents information in the clearest way possible, and is delivered in easily digestible terms.
Approaching the subject
Employees should receive a comprehensive education on every facet of cyber security awareness –including phishing, ransomware, data privacy, internet security, password management and authentication processes.
However, it would be ineffective to try and squeeze all of these topics into one training session. This would only enable you to scratch the surface of each area and with the sheer amount of information this would need to cover, it could also be overwhelming to employees.
A more effective approach is to build a cybersecurity online training programme with smaller sessions, each dedicated to cover a single topic. Offering short, but frequent, online training sessions breaking topics down into bitesize chunks will keep employees engaged and will also be time efficient.
Using an online training platform gives employees the flexibility to attend sessions from wherever is most convenient to them and will allow them to easily monitor their progress. Ensuring that online training sessions are recorded will also offer the chance for employees to go back to topics that they may still be unsure of.
You can also work with a cyber security team to translate an organisation’s policies into layman’s terms which will allow employees to understand, digest then have time to ask any questions or concerns they may have. Cyber security training should be carefully considered and is not something that should be rushed over in order to tick a check box.
Along with this, training sessions should be a positive and engaging experience for employees. With such busy schedules some employees may be reluctant to spend working hours on training sessions.
Ensure that you create a positive and productive training plan that is worthwhile. If information is delivered in a dull way, it should not come as a shock that information won’t be retained.
Create an engaging training plan
So, create an energetic training plan that will engage employees – use visual examples, such as gamification and have a diverse mix of content to accommodate different working styles. It’s also important to ensure there is still a social element to any online cyber training – get employees involved in discussions, encourage people to turn their cameras on and create easy educational games that everyone can get involved in.
Essentially, avoid simply reading from a script and make the education around cyber security a social one. This, in turn, will mean employees are more likely to absorb the information and therefore your business stands a better stead at mitigating cyber security threats.
Following from this, establish these training sessions as a way of improving upon current systems, as opposed to tearing them down. It is human nature to react defensively when critiqued, so it is important not to tear employees down or criticise methods of working. Approaching cyber security training by beginning with what individuals or teams are doing wrong is not conducive to effective training. It should be an opportunity to work together, making employees aware of how their can do their part and discovering defence mechanisms that best fit your business.
Employees will not leave training sessions with a proactive mindset if they feel their hard work is not valued. You should recognise what teams are doing well, but ensure they understand that some cyber threats are not usually down to the fault of an individual and assert the point that the team must work as a unit to combat these threats.
Maintaining awareness around cyber security
Once regular training has started to take place, it is important to keep on top of it. It is not enough to simply run a training course as part of an onboarding process then never mention any of these issues again. While it is exciting that technology is ever-changing and expanding, this also means there is always risk of new threat. To keep on top of the latest methods fraudsters and hackers are using, it is a business’s responsibility to ensure their employees are aware of these risks and know how to deal with them.
For instance, as hybrid working has become a permanent fixture of working life, this has also brought along new possibilities for data exploitation. With the growing number of smart devices used on a daily basis at home, employees possibly using unvetted software and hardware for work, and without the security protections that office systems afford us, organisations are far more vulnerable to data breaches.
Data released from the UN reveals that cybercrime, which includes everything from theft to data hacking, increased 600 percent as a result of the COVID-19 pandemic. Giving employees up-to-date and frequent training of cyber security themes that are occurring should give them a good chance of spotting signs early before any harm is done. Creating a consistent conversation around the topic eliminates future threats and will assert its importance.
Within a business, the reduction of cyber security threats needs to be a team effort. Businesses should take responsibility in providing informative and positive training sessions, ensuring all employees attend, regardless of seniority – as this is an issue that can affect all levels of a business and therefore everyone must play their part.
Amelia Brand is the Editor for HRreview, and host of the HR in Review podcast series. With a Master’s degree in Legal and Political Theory, her particular interests within HR include employment law, DE&I, and wellbeing within the workplace. Prior to working with HRreview, Amelia was Sub-Editor of a magazine, and Editor of the Environmental Justice Project at the University College London, writing and overseeing articles into UCL’s weekly newsletter. Her previous academic work has focused on philosophy, politics and law, with a special focus on how artificial intelligence will feature in the future.