Cyber Risk Aware Blog

Top 10 Most Common Cyber Security Awareness Training Programme Mistakes (and how to fix them)

[fa icon="calendar"] 06-Feb-2018 11:00:00 / by Stephen Burke

Stephen Burke

Cyber-security education and awareness programs are an indispensable part of a balanced corporate security strategy. These programs equip staff with the tools that they need to be part of an overall security solution.

Yet, if these programs are not properly implemented, they squander the opportunity to prepare a competent workforce to identify, escalate, and help mitigate threats and vulnerabilities.

With an ever-evolving cyber threat landscape, course correcting the following pitfalls can mean the difference between a comprehensive training program, and a check-the-box solution that completely misses the mark.

1: Training only to YOUR limits

Information security best practices should not be curtailed by the limitations of your organisation. If your systems are not yet set up for two-factor authentication, or with minimum password requirements, that doesn’t signify that staff shouldn’t be taught how best to protect accounts where those features are available. Let it be known that a system, no matter how outdated, should never dictate the minimum requirements we ourselves can implement. Strive to do more and train staff ready to do the same.

2: Not seeing the wood for the tree’s

While corporate compliance requirements are a starting point for information security training, they are only part of the puzzle. In order for Information Security learnings to seep down to an end-user level, they need to be related  back to the individual. It isn’t enough to deliver statistics of corporate losses, without providing an understanding of risk to the individual data holder.

3. Wearing Corporate Blinkers

Uniform dual-coloured corporate posters, all in Arial 12 font, may serve a purpose, but in Information Security awareness and education, they can only ever be a disservice. Research has shown that complex fonts promote better retention of information. And vibrant colours, infographics, and creative delivery of material all serve to capture the attention and imagination of staff. Think outside the box. Incorporate gamification, videos, and social engineering testing in order to keep staff interested and engaged.

4: Pandering to Naysayers

Information security detractors can be found at every level of an organisation, and none are more dangerous than those in power. Placating Legal or HR leadership can be a slippery slope to losing momentum. Get leadership on board to be part of the solution, and to set a positive example for staff. Through education, training, and simulation, show them what’s at risk, and how important it is for them to be on board. Give them a role in Incident Response and keep them informed as to existing security risks but be sure they understand where accountability lies.

5: Doomed in the Details

Expensive monitoring, software, and firewall programs will only ever be part of an overall security solution. Understanding defence in depth means putting resources behind every endpoint. End-users need reminders of bread and butter security practices, whether it’s to think before they click, understand wireless network security, mobile security, or just lock their screen when not in use. So, while communicating the next malware threat is relevant, so is practising the fundamentals.

6: Not preparing for the real world

Rose-coloured glasses will never protect us from cyber threats. In an effort to maintain the status-quo, many organisations bury security incidents and vulnerabilities, even from their own leadership. This creates a false sense of security and ill-equips people to handle risk in the real world. Be responsible and balanced in sharing information.

7. Fear Mongering

If every training exercise focuses only on worse case scenarios, trainees may begin to believe in the inevitability of a security incident. And if you can’t prevent the inevitable… why train for it? Focus instead on the importance of their vigilance, and the difference that they can each make by securing the perimeter and reporting on threats.

8. Blame Game

There are organisations that hang their hat on the pervasiveness of insider threats, viewing their staff only as a risk without any redeeming qualities. But they fail to ask themselves if they’ve provided the staff with adequate security policies and procedures, made solutions like a password keeper or self-service tool available, or created a security culture where staff would feel comfortable escalating concerns. Remember, a trained workforce is an asset to the security team.

9. Over-Simplifying

Cyber security training programs that are limited to reiterating hackneyed concepts like “hackers are bad”, do a disservice to their staff. Understanding the nuance of threat actors and their targets, and the complexities of the international struggle to maintain IT security, prepare individuals for ever-changing threats.

10. Not asking for help

Organisations of all sizes may find themselves limited at some point or another, in terms of delivering content and resources to staff. Keeping material varied and relevant can be trying, but with the support of external security professionals, the tools to deliver cyber security awareness training can be found.

Topics: Phishing Simulation, security awareness training

Stephen Burke

Written by Stephen Burke