It is often being said that people are the weakest link. In organisations this is often highlighted by personnel’s skills in cyber security. Human error can cause significant information security risks. Often relatively minor mistakes such as clicking a link or running an email attachment, can cause significant damage to the organization. Preventing these tiny mistakes greatly increases organisation’s cyber security level. The most effective way to prevent human errors is to train organization’s personnel to prevent, detect and report security incidents.
Cyber secure culture as a foundation for training
In order to succeed in training organization’s personnel, the organization should have a culture, where cyber security is seen important at all levels of the organization from top to down. The culture should be open and supportive when it comes to information security. There should be no room for fear in situations where people have made mistakes that can cause cyber security risks or security breaches. Reporting for possible incidents should be encouraged and supported by all levels of management.
Often risks can be avoided by just being alert and careful, thus, the personnel’s understanding of causal connections in cyber security attacks reduces risks. Cyber security skills affect individual’s capability to detect and notice possible risks, such as phishing e-mails or phone calls, both at work and in personal life. Training doesn’t only help the organization, but it also helps employees to take care of information security in their personal lives.
Personnel’s skills in detecting and noticing possible information security risks should be seen as an investment and not just as a cost or as a tool in preventing risks caused by accidental mistakes of personnel. When measuring the overall security of the organization, personnel’s cyber security skills should be one indicator, since security software can only secure technical controls, not the human mind. The ideal situation is that staff is able to detect, prevent and report information security incidents, which increases the organization’s overall security significantly.
Creating a successful training
Unfortunately, training for cyber security skills isn’t handled with a single traditional lecture. Different departments and business areas face different type of threats; thus, training should be designed to meet the unique needs of the organization. For example, HR-department needs to take into account different things in information security than for example software developers. However, it is worth to mention that training for certain cyber security skills, such as how to notice suspicious e-mails, can be scaled to fit many types of organizations.
Many organizations are also bound by law to meet certain standards and regulations related to cyber security, for example organizations in the financial or health care sector face more regulations than other industries. Especially these organizations need to take into account the specific needs of their industry.
It is also important to understand that cyber security crimes and attacks are constantly running (even right now) and developing, which in turn creates an on-going need for developing training and personnel’s cyber security skills. Training shouldn’t only be an ad hoc -training, instead it should be designed to regularly develop the staff’s skills. A good way is to create a specific cyber security training once a year and then have more general trainings periodically to remind people of the skills they’ve learned. These types of trainings also keep cyber security a relevant topic in the organization and lead to the development of information secure culture.
Content of the training plays an important role in succeeding. The training should be fun and motivating, but at the same time effective. With modern tools, such as online training, creating a motivating and effective training is easy. Sometimes creating a fun competition around the training is motivating and brings in good results in finishing training, other organizations prefer to give diplomas to staff members who have successfully finished the training. There are lots of ways to create an interesting and motivating information security training, which increases the overall security of the organization and fits the organization’s unique needs. With the right tools and methods training brings in results, which last a long time and create a cyber secure organizational culture.