One of the main causes of a security breach is human error. This is confirmed in a study of annual trends by Cyber Security Malaysia.
This weakness involving human error is something which should be addressed with urgency and tact. End users need to be made aware of their responsibilities. The rise in the number of attacks signals an increasing need for cyber security training for employees. Employees need to be made aware of the powerful effects their actions have on the organization. One single wrong click may cause an organisation to lose millions of dollars.
There is a pressing need for more employee training and for classes which are tailored to the real needs of the organization to ensure participants are able to grasp the full extent of how their actions may affect the organization and how to avoid falling into the trap.
However, these cyber security trainings have been facing a lot of resistance especially from those at the top management. Members of the top management are often the busiest people in any organization. As security professionals, we respect that: but what can we do when the CEO him/herself refuse to take part in security awareness trainings?
Many people also question the investment worth of cyber security training. In discussing this issue, it is important for all parties to have a common understanding of the definition of cyber security training. If the definition of cyber security training is reduced to the simple act of herding employees into a classroom year on year to sit through a mundane classroom session akin to the trainings of yesteryears, then I am in agreement to the negative sentiment- please do not bother.
Studies have shown that this style of training does not work simply because people today do not think nor behave the same way they did ten years ago. I have personally seen people using the same PowerPoint presentation training material for 7 years. These outdated modules of training will not help defend a company against fast evolving cyber-attacks.
While some companies do invest in cyber security training, many find that the training they signed up for was not doing the job. So, why do most cyber security trainings fail?
- Normal classroom style of training is deemed boring and dull.
- Typical trainings are mostly downloading and lacks interaction.
- No assessment is done to measure the level of success.
- Trainings use scare technique to coax participants to change their ways instead of teaching them the proper way of doing things.
- Trainings are usually done by people who do not have sufficient knowledge on the issue of cyber security.
At CiEdge, we believe in hands on learning method. Phishing your own staff will provide them with first-hand experience and know-how to avoid making fatal mistakes which would cost the company. Leave a comment below to share your thoughts on this and we will be in touch to discuss this in more details.