Cyber security is an essential component of any enterprise data management program. Despite the attention paid to cyber security, there has been a notable increase in successful cyber-attacks in recent years, and human error seems to be a big factor in many breaches.
Sometimes, the employees fall for tried-and-tested methods like phishing emails: for instance, in 2016, an attacker pretended to be the CEO of Snapchat to trick a company employee into emailing them payroll information. On other occasions, employees simply may not pay attention to their actions. For example, a sex healthcare center in the UK revealed private information of several hundred patients by accidentally entering their names and email addresses to the “to” field, rather than the “bcc” field. Actions such as these call into question how organizations can reduce simply stupid behavior, and why employees have the admin privileges to cause such damage in the first place.
Regardless of the reason, questions that employers must ask themselves include whether their cyber security awareness program works. And, if not, what can be done to make the training modules memorable and actionable? How does training in cyber security affect the performance of the organization’s approach to developing employees’ skills and competencies?
The three main reasons why employee training doesn’t work is that it isn’t planned properly, the focus is not personal, and the training delivery is not engaging. Read on for some ways to make security training resonate and improve cyber security and data management practices.
All training should be designed with the learner audience in mind. Each course development effort should start by identifying the learners – their current state of knowledge, what they need to know, and at what level of detail.
After planning a cyber security learning program that focuses on the target audience, the next step is to explain the relevance of the content to the learners – why they need to know and retain this information. Trainers and course developers have different ways to approach context, some can be more effective than others. When explaining a solution, instead of simply giving the problem followed by the solution, the teacher can focus on making it relevant to the audience.
For example, instead of saying that “All employees should consult with their supervisor before releasing sensitive information,” the instructor may say something like “Phishing emails (fraudulent communications that appear to come from a reputable source) were the most common cyber security threat we encountered this past year. By double-checking with a superior before responding to a request for information, each of you can reduce the chance of a successful attack by 95%.”
Share a story
Using a story as an example is another effective way of communicating context. Sometimes, the intended message gets lost in technical terms and monotonous presentation slides. A story can break this pattern, grab the attention of the listener, and create something memorable for them.
When creating a story, start by making sure that it’s relevant to the course and the topic. Having small, humorous anecdotes help to maintain a good atmosphere, but a learning story should be connected to the course objectives. Besides relevance, the story should have a problem-solution structure, a hook to rope in the audience, and visuals that complement the text. A story tends to have more depth than a simple example. A story tells about some event, includes some individuals, and describes something that happens to them that reinforces the point. Remembering a list of isolated concepts and definitions can be difficult but recalling the flow and important points of a relevant story can make it easier for learners to relate the concepts to real life.
There are many reasons why visuals make sense in a training course. Especially for visual learners, content such as infographics, tables and charts can help improve understanding and enable faster and more complete recall of important information.
The appeal of visuals goes beyond learners who prefer them. Visuals help in bringing out the meaning in words. For example, when educating employees about a change in a process, visuals can help in showing that change, the methods used to develop that change, and steps to take in implementing it properly.
Learners can demonstrate what they have learned by sharing and presenting the information visually in the class, with constructive critique from the instructor and other learners.
Make it interactive
Some employers think of cyber training classes as a way of testing employees instead of engaging them. The presentation may contain many informative slides, but it may not serve the purpose if the course takers are just spectators – not real learners.
However, there are many ways of easily making courses interactive, including online exercises and quizzes, security awareness challenges, and point systems connected to the successful completion of tasks. Interactive teaching makes the learners part of the instructional process, actively involving them in the learning experience. Group exercises, brainstorming sessions, active quizzes are all ways to engage learners and reinforce the concepts and practices being taught.
Make it ongoing and evaluate the performance
Training programs should be more than something that’s done once per employee or year to meet compliance standards. A cyber security bootcamp should not just verify if employees have learned something – it should explain the uses of what they’re learning. Also, it is imperative to evaluate the implementation of the training program by simply asking employees for their opinion. Create a survey that allows employees to stay anonymous and ask for their opinion at different time intervals after the training. Doing so provides information about what to re-teach, what concepts were retained, and the teaching methods that produced the desired results.
To be effective, cyber security training must be planned properly, focus on the learner, and be engaging. Adopting these suggestions can help cyber security training resonate with the staff and improve cyber security practices at any organization.