There’s a Big Difference Between Good and Bad Cyber Security Training

Good cyber security training is a foundational aspect of any successful cyber security program. According to recent reports, more than 40% of data security breaches are the result of employee negligence. This can include unknowingly clicking on a phishing link or leaving sensitive information up on an unmonitored computer.

This is why so many cyber security compliance regulations require some degree of data security training for staff, which absolutely is a good thing! The more staff know about new and emerging threats, the more they can help protect the organization.

But this assumes that the cyber security training is effective – that it is engaging enough to keep a person’s attention and explain technical information in an interesting way. That, in our experience, is not an easy task.

Relying on old TV references or outdated memes isn’t going to get people’s attention. We are constantly looking for new ways to engage end users and we’ve even found a good animation or game to be highly effective in boosting a person’s awareness of cyber security best practices. For example, training activities could include a phishing game to spot the phishing email or a timed game where people answer questions. Be sure to reward them for participating too! Think of small items such as a cyber security mouse pad, gift cards, and the 2020 holy grail gift – a can of Lysol.

If the training is simply focused on general items that evoke stress without giving people any action to perform, then they’ll ignore the message. Instead, trainings should focus on skillsets that apply to both their personal and professional lives (e.g., safe shopping, sharing of data, etc.). This will help them make good decisions regardless of their computing environment.

People make mistakes – and those related to data security are no different. Employees need to understand that they will not be penalized or retaliated against for reporting an issue. It is important that they know this behavior is encouraged, appreciated and rewarded. Clarify the distinction between an accident or a mistake and a willful disregard of policies and procedures.

Different employees have varying degrees of access to sensitive data, and as such, they need cyber security training tailored to their work and the potential risk they pose to the organization. Generally, here are the different types of cyber security trainings you should consider for your organization.

Anyone who has access to your organization’s systems and data must complete a basic level of cyber security training. While this will differ depending on your organization, end user training should cover your cyber security policies and procedures, advice on how to spot threats, what to do if they have the *slightest* inkling a breach has occurred, and how to report it.

Those who oversee a certain system or types of data, commonly managers and executives, need a higher degree of training. System and data owner training focuses on what they need to know in order to perform their governance and oversight duties. This is critical to ensuring that IT and information security are putting the right controls in place to avoid a data breach. For example, system and data owners will review a list of who has access to a certain system at least once a year to make sure that it is accurate. They also will make decisions about when IT or the information security team need to decommission systems from the environment.

This is for individuals who administer a system, focusing on the routine tasks that ensure its protection (e.g., security patching, access reviews with the Information Security Officer, reporting of suspicious activities, etc.). It also provides an overview of the policies, procedures, and documentation that need to be maintained on each system and how to securely install and decommission systems in the environment.

Data custodian training is sometimes included with system admin training, but it also can be separate. Data custodians are those individuals who are responsible for the physical security of a system (i.e., server security in a data center or in a server room). This may be done by the system administrators or by those who manage a data center. This training will discuss the protocols, policies, and procedures for ensuring the physical security of data and systems.

Outsourcing certain functions is commonplace among organizations. When an organization relies on a third-party vendor and gives them access to their sensitive systems and data, then that vendor needs to be trained on the security requirements placed upon them by the organization. This includes the policies and procedures applicable to third-party vendors, what regular activities they are required to perform to ensure they are compliant with the organization’s security requirements, and oversight activities that will be done by the organization to ensure their compliance.

Executives and board members routinely are responsible for governance and oversight at the highest levels of an organization, which brings about an additional layer of training needs. Executive and board cyber security training focuses on what they need to do to ensure that cyber security is implemented and maintained in the organization as they are performing their fiduciary responsibilities (e.g., Duty of Loyalty and Duty of Care).

Cyber security must be implemented and maintained in a manner consistent with the sensitivity of the data in their possession. If there are any regulatory drivers for this, the executives and boards are responsible for ensuring that the cyber security program is compliant. This does not mean that they have to actually do the program work, but they do need to understand what questions to ask, getting (at a minimum) annual updates, and ensuring that the budget and resources are available for the program to be implemented and maintained.

Board members are a unique subsect of an organization’s internal stakeholders. They have a high degree of oversight and are required to review and make decisions on a significant number of items to fulfill their fiduciary responsibilities – in other words, they have a lot on their plate and limited focus for much else. Because of this, board cyber security trainings must be concise and only address those items of critical importance to their duties.

No detailed technical discussions unless the topic is specifically broached by a board member. If detailed technical discussions on current risks, issues, or data breaches are needed, then those should take place in a separate meeting for an appropriate board subcommittee meeting or executive working group session.

Board training also must be sensitive to laws and regulations affecting board activities. For example, when performing training for a board that’s subject to the Freedom of Information Act, then the trainer must understand what can be discussed in a public session and what needs to be discussed in a closed session. If the board is of a publicly traded company, then the trainer must know what information can be shared with the public versus what needs to be protected. Publicly sharing certain information can jeopardize the organization’s competitive advantage. It’s imperative the trainer how to relay necessary information to investors without adversely affecting the organization.

An effective board needs to understand how to prioritize emerging threats and their overall impact to the organization. You can’t scare them with any and every possible threat. A cyber security trainer needs to help board members see the big picture, while also assisting them in developing the skills necessary to make risk-based decisions on what they learn. Many board members are not cyber security practitioners. Cyber security training needs to be sensitive to the skill level of those individuals and not make them feel inferior for not knowing.

It may be easy to view cyber security training as a “check in the box” to ensure your organization is compliant and/or aligned with best practices. However, if the training doesn’t actually boost your organization’s awareness of cyber security threats and how to avoid them, then there’s little difference from not having any training at all.

If your existing cyber security training is outdated or not giving you the protection your organization needs, we’re here to help!