As 2016 comes to an end and we look ahead to the New Year; many of us are setting our sights on achieving certain goals. Losing weight, reading more, and quitting smoking are high on many people’s New Year’s resolutions list. But if there’s one thing businesses should strive to achieve for 2017, it’s to improve their cyber security.
If you thought this year’s slew of denial-of-service attacks; social engineering scams, and software vulnerabilities were bad — there’s no reason to believe 2017 will be any better. Phishing schemes will likely grow more sophisticated and cyber espionage will probably take centre stage. Even Cyber Security Prime Minister Dan Tehran is putting an emphasis on protecting Australia against an array of cyber-attacks for the coming years.
As tough as it is to step back into daily routine after a week-long feast of ribs and barbecued prawns; cyber-attacks don’t stop for anyone. And if you’re planning to have a year free of any IT incidents; it’s best to kick things off with a post-holiday employee security training program.
Plan a training program
When developing a training program, you should lay out a set of objectives you want to accomplish. These training objectives are essentially the behaviors and skills you want employees to develop by the end of the program.
For example, your post-holiday training objective might be to have employees identify different types of social engineering attacks in five real-world scenarios. Notice how specific that objective was? By setting measurable goals, you can determine whether employees have mastered the material.
After creating specific objectives for your curriculum, it’s time to begin the lesson. Of course, training your employees how to defend against an onslaught of cyber threats will be a good chunk of your curriculum; but first they need to know basic terminology.
When conducting your first employee security training session; define common information security terms — like malware, worms, phishing, and so forth — and make sure employees understand them before going any further. Failure to do so may alienate your staff and could discourage them from engaging with your training curriculum.
Once they have a good grasp of the basics; plan lessons around these key cyber security topics:
- Social engineering – the main purpose of this lesson is to warn employees about vulnerabilities that they themselves might inadvertently create. Teach employees about the tell-tale signs of common social engineering scams — such as phishing, vishing, and smishing. This is also a good opportunity to talk about real-life scenarios like the fake Netflix emails that scammed so many people this August.
- Explaining attack vectors – this tutorial should focus on the technical exploits that modern-day hackers employ. In the training session, talk about the vulnerabilities that can be found in outdated technology, denial of service attacks, ransomware, and brute-force methods. Again, it’s best to tie these exploits with real-world examples to help employees contextualise the information.
- Password management – emphasise the importance of passwords in the early stages of your post-holiday security class. In the seminar, teach employees what makes a strong password, why it’s important to set unique passwords for each web service, how often they should change it, and how to use password management software. Check out our previous post for more details.
- Data security – this topic mainly deals with setting access rights and data encryption. Teach employees about the importance of upholding compliance initiatives like the Privacy Act 1988, and handling sensitive information in personal devices and public areas.
- Physical security – as significant as the other lessons are, don’t downplay physical security in your curriculum. Here, you instruct staff on how to deal with unauthorised personnel, keep desks clean of any sensitive documents, lock up servers rooms, and so on.
Keep in mind that these topics don’t have to be taught separately. In fact, pedagogical studies have shown that students — or in this case, employees — learn more information when course material is integrated and mentioned several times throughout the program.
In the course of developing your curriculum, you’ll need to determine how the material will be delivered. The oldest method most companies resort to is conducting a PowerPoint presentation. While this technique does have its merits — like immediate audience feedback — long, scripted lectures often feel impersonal, and staff are more likely to dismiss it as just another mandatory annual training seminar.
According to cognitive load theory, learning is more effective when student/employees aren’t overloaded with information. The reason your training curriculum should be cut down to bite-sized chunks is because there’s not enough time to cover — let alone allow your employees to absorb and retain — all topics related to cyber security in a single hour-long session.
For staff to effectively engage the material, you need to incorporate a combination of visual, aural, and kinaesthetic techniques. If you feel a lecture format is the best way to deliver material, supplement the dry and nuanced information with fun and engaging 3-minute videos. Chances are, your employees haven’t quite kicked the post-holiday blues, so a comedic delivery is more likely to stick than starting off the year with an extremely serious tone.
Use interactive quizzes at the end of each session to gauge their security awareness. A brown-bag session– where co-workers discuss frustrating cyber threat experiences over lunch — is also an effective method for cementing recently acquired information in an informal and relaxed setting. Managers can also create role-playing exercises where employees have to avoid common scams from social engineers.
Outside of training seminars; reinforce the security habits you want to see in the workplace by sending company-wide security newsletters; attaching “do and don’t list” posters in highly-trafficked office areas, and initiating a security award program at the end of the month.
While, there is no one-size-fits-all solution for delivering course material; mixing and matching these methods in your post-holiday training program; are more likely to be both enjoyable and impactful for learners.
The fruits of training
Much like any curriculum topic, your security training program should evaluate how much your employees have learned. Have workers demonstrate their understanding of the curriculum objectives with a written test, role-play scenarios, and practical demonstrations.
Also remember that while assessments are valuable tools for evaluating a student’s knowledge; it’s not the be-all and end-all of your security training program. The ultimate goal of security training is to develop critical thinkers who can defend against numerous cyber threats; not high-scoring test takers. The best way to accomplish this is by sticking to a monthly, or even; weekly curriculum to truly see the fruits of your labour.
We would be remiss to mention that one post-holiday security training is enough to protect your business from the landscape of constantly evolving threats. Thus to secure the human vulnerability of your organisation, you need periodic security training.
Contact Empower IT Solutions for more information on delivering tailored workshops about computer security to your employees in the new year!