May 2017: Companies are spending massive amounts of money figuring out how to stop hackers from infiltrating their businesses. And they’re spending most of it on the latest tools, firewalls, intrusion-prevention systems, and antivirus software.
On the other hand, cybercriminals are spending most of their efforts on the non-technical end — figuring out how to hack employees! So companies need to invest in the latest security awareness training. Well-trained employees deliver one of the most powerful firewalls money can buy. Here’s how to do it the not-boring way:
Social engineering scammers trick employees into giving them what they need to infiltrate company networks. They pull off successful scams using email phishing, social media, employee profiling, cookie searches, and others. They’re constantly coming up with new and better ways, so if your employees don’t know what’s new, they make great victims.
For example, do your employees ever talk about business at a restaurant or subway stop? Use personal cloud apps for business now and then? Get distracted by their phones and ignore their laptops and briefcases while they’re out and about?
These seem like little things but they’re among the types of things that feed the hacking frenzy. Yes, hackers really do target specific individuals because of the place they work. And the place they work may not even be the target — it could be a larger company that the targeted company does business with. Symantec’s newly released annual threat report finds that emails with a malicious link or attachment are at a five-year high, and the proliferation of cloud apps is making it difficult for companies to keep up with security policies. Now that internet privacy rules have loosened, a whole new range of opportunities to hack people may have just popped up.
E-learning makes training fun (really)
The best, most engaging security training is taking place online — PowerPoints and stapled handouts are so yesterday. E-learning is interactive, customizable, and delivered in bite-size topic modules so it’s easier and more rewarding to move through the materials. Games and contests make it interesting while they test knowledge. And if the training is adaptive (the best kind), it will provide more material in areas where employees are showing weaknesses and less where they’re showing proficiencies. Who wants to be bored or overwhelmed?
Adaptive training is especially effective for cybersecurity issues. Security awareness is a big topic that covers a lot of different areas, both within a business and outside of it. Training modules can be chosen (and prioritized) for each type of employee and the situations they may encounter, and employees can complete the modules when it works for their own schedules. Completing a few training modules during the week is a lot less intrusive than attending a workshop. If the material is relevant and they’re enjoying themselves, they’ll like it better and retain more of the material.
In-house or outsourced?
Every size company needs security awareness training, whether it’s a two-person shop or a huge enterprise. Some companies do a good job of managing security training in-house — if yours is one of these, congratulations! However, most companies struggle to pull it off because it’s tough to keep material fresh and employees interested. And with security issues specifically, it’s a challenge to have enough time to update and cover each topic adequately. Some companies that have enough resources develop their own in-house e-learning programs even though it’s time-consuming, but if the end product isn’t high quality and engaging, employees won’t like it.
Companies like Sans, Inspired E-Learning, Rapid 7, Kaspersky, The Center for Information Security Awareness — and training powerhouses like Udemy — offer good options for outsourced security awareness training without the need for a training consultant. Within their on-demand modules (or in addition to them), lessons may include:
- Games with timers, contests and prizes
- Live evening sessions
- Daytime simulcasts
- Real-time access to instructors
- Virtual labs
- Cybersafety games
- Simulations, like phishing and cyber attacks
- On-demand videos
For the best results, make security practices part of performance tracking
If you tie security practices to getting a raise, guess what happens to motivation? Good HR plans include a continuous learning program that integrates actual security practices into performance tracking. This is especially useful for companies in regulated industries — having mastered security awareness training materials is part of being in compliance.
Leapfrog helps clients keep their networks and systems secure but there’s only so much IT can do on its own. People are more often the first line of defense against cyberattacks, which is why we help our clients get the training they need to identify risks and scams. Soon, Leapfrog will be launching security awareness training modules for our clients in conjunction with our training partners, complete with scoring so our clients can meet their compliance requirements. Feel free to contact us about this and or any issue related to cybersecurity or IT training, including software training. We’re here to help keep you informed and your IT secure.
If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.