Cybersecurity training is a strange beast. Doing it wrong can be almost as bad as not doing it at all.
This article will give some tips on how to train people in cybersecurity awareness, and keep your organisation safe.
Do be relatable
If an employee leaves the training thinking, “Why should I care?” then we’re doing something wrong.
Online safety is applicable to everyone who uses the internet. Which is to say, very nearly everyone.
Instead of telling people to keep their work emails from being hacked, frame it as a way they can stay safe online.
A decent training package could save us months of worry in our personal lives as well. (If you don’t believe this, just ask anyone who’s had their email hacked).
Cybersecurity training is like learning to cook: it’s an essential life skill even if you don’t use it for work. Make sure your audience knows that.
Don’t excessively use fear
Cybersecurity is a scary subject, and workers need to know what can happen if things go wrong.
However, fear should never be the main way to motivate people. The goal should always be empowering them to outsmart criminals.
Fighting cybercrime can be as easy as using strong, unique passwords, learning about common scams, and using 2FA.
You don’t have to be a computer genius to learn this stuff: you just have to be open to asking questions and taking advice.
Training sessions which rely on fear are counterproductive. People start seeing cybersecurity as an impenetrable subject, criminals as invincible, and security itself as impossible. Absolutely none of this is true.
Do be accessible (not boring)
Imagine you’re an inexperienced user who reads the following:
Although cyber-attacks such as ransomware receive a disproportionate amount of media attention, basic attacks (such as phishing) can be the most dangerous to an SME. This is because low-skill threat actors are more common than high-skill ones, and they tend to attack soft targets.
Even if you know what these terms mean, by the end of the paragraph your eyes probably glazed over.
It’s the same for the people we’re teaching. Instead of using terms like “cyber-attack” or “social engineering”, say “hack” or “trick”. If a term does need to be defined, give an example.
“So hands up, who’s ever had a dodgy call from a scammer. Alright, pretty much everyone. Whenever we get a dodgy phone call or a scam email, they’re usually trying to trick us into doing something we shouldn’t. This is called social engineering, and it’s really common.”
Don’t assume prior knowledge
Basic computer skills might feel like second nature to a lot of people, but the truth is they’ve been refined over years of practice. Even something simple, like writing an email, would be downright alien to someone who hasn’t used a laptop before.
Obviously, people have to be able to use a computer for work tasks, otherwise they wouldn’t be taking our courses. But it shouldn’t be assumed that your trainees know anything more than that.
Start with the bare basics and then work your way up. It’s always better to start too easy than too hard.
Do be accurate
This sounds like an obvious one, but you’d be surprised how many sessions give bad advice. Even some government training tells people to change their passwords regularly.
(The only reasons to change your password are if it’s weak, stolen, or reused. Telling people to change their passwords every so often does nothing to keep them secure, and creates more confusion).
It also helps if we know more about the subject than what we’re delivering. People can ask some tricky questions, and when this happens, trainers need to be confident enough to answer.
With 95% of hacks caused by workers making mistakes, it’s more important than ever to train our employees. That’s why we made Toffee; a fun, all-in-one training package designed with you in mind.
