Cybersecurity Training: Who, What, When, Where, and Why
The role employees and others with access to your network play in cybersecurity can’t be overstated. Just one click on one link in a malicious email or web page can lead to a major cybersecurity breach. Comprehensive, ongoing cybersecurity training is crucial to keeping your network users aware of current and emerging cyber risks and informed about how they can help protect your organization.
Let’s look at the who, what, when, where, and why of cybersecurity training.
- Include all stakeholders. That means every employee and board member as well as any volunteers, members, and others with access to your network, including via Wi-Fi. Consider holding a special seminar for non-employees.
- Leadership involvement is key. A culture of security starts at the top. That means every member of your leadership team should attend the training, sit in the front row, and actively participate.
- Select the trainers carefully. It may seem like a member of your IT team would be the best choice to lead cybersecurity training, but that isn’t necessarily the case. IT personnel are often too busy working on the daily issues that crop up to focus on current threats and developments. They also might use “tech speak” that won’t be easily understood by the audience. Choose someone who understands the cyber risks and issues and has strong teaching and presenting skills.
- Keep the training simple and direct. Use clear language.
- Ensure attendees understand the important role they all play in protecting your organization. Stress that just one click can infect your whole system, and illustrate the point with real-life examples of breaches caused by an unsuspecting employee.
- Expect limited cyber vocabulary. Be sure to explain terms such as phishing, vulnerabilities, malware, and ransomware.
- Make sure attendees understand:
- Discuss new threats, how they could affect your organization, and what to watch for.
- Provide real-world examples of cyber attacks and breaches.
- Consider conducting a phishing test beforehand, sharing the results during the training, and retesting a few weeks later. Some organizations reward those who pass the test with a pizza party or the option to wear jeans to work one day.
- New threats emerge continually so it’s important to hold training often, perhaps quarterly. Consider augmenting this by sharing quick tips on a monthly basis to help keep cybersecurity top of mind.
- Document attendance to make sure all employees receive training. Have an option for those who have to miss the session, such as a repeat date or recording.
- Make sure new employees receive cybersecurity training as part of the onboarding process, perhaps through a face-to-face meeting with your information security officer. New employee training should include:
- Review of your organization’s tech usage and cybersecurity policies
- Information on current and emerging cyber risks
- In-person training tends to be more effective at limiting phishing risks.
- A webinar can be a good option if attendees are in multiple locations or timing is a challenge. Be sure to stress the importance of watching the webinar.
- We’re all overloaded with too many emails, texts, and more. This can make it hard to spot warning signs or suspicious activity.
- Even with the best controls in place, humans are susceptible to phishing, social engineering, and other threats.
- New threats emerge constantly. Ongoing cybersecurity training is vital to keeping all your network users apprised of current threats.
Lisa is a partner at CapinTech. She uses her more than 30 years of experience to assist organizations in implementing measures to secure data and manage risks efficiently and effectively. She is a nationally recognized speaker and author, and serves on the AICPA Cybersecurity Task Force. Lisa founded Traina & Associates in 1999 to provide IS security services to a broad range of industries. Traina & Associates joined CapinCrouse in January 2017 and is now CapinTech.