scorecard
  1. Home
  2. international
  3. news
  4. How tackling cybersecurity training from a companywide lens leads to better preparedness

How tackling cybersecurity training from a companywide lens leads to better preparedness

Stephen Lawton   

How tackling cybersecurity training from a companywide lens leads to better preparedness

  • Cybersecurity training is needed for all employees, including senior management.
  • Consider a variety of training techniques to match employees' learning styles.
  • Continuous formal and informal training can be more effective than annual cram sessions.

If you ask a corporate chief security officer or chief information officer about the best defense against a cyberattack, you'll likely hear about employee training. While this answer might sound like a platitude, it is surprisingly accurate. What is not so clear, however, is what information your staffers should know, how to train them, who exactly to train, and how to ensure they remember their training.

According to Infosec Resources, at least 55 federal and state cybersecurity regulations require employee security awareness and training. Training is no longer just an HR function - it is a corporate imperative.

Cyber training used to be conducted during onboarding: New employees often sat in classrooms and were given a ton of information that they were expected to memorize. This approach, training experts say, is not conducive to effective learning.

Training strategies are like diets: There is no "one size fits all" method. While some approaches work better with certain people, others need different teaching stimuli.

Trainers who specialize in cybersecurity recommend a hybrid approach that includes training in classrooms, on-demand videos, gamification-based lessons, and one-on-one specialized training. Cybersecurity professionals also suggest companywide exercises that use emails simulating a phishing attack.

Experts say that training should be provided in bite-sized lessons on a regular basis so that trainees can always be incorporating their knowledge. While formal training might be conducted quarterly, informal and on-demand training can be available whenever time permits.

Companies need to provide time and incentives for employees to partake in continuous training and use a range of teaching tactics to match employees' learning styles.

Who should be trained

Experts say that junior-level managers and corporate staffers are most targeted because they often have little hands-on training and are likely to click on fake attachments. Middle-level managers and staff are also targeted because they have access to confidential data.

Senior executives and board members need cybersecurity training because they have direct access to the most valuable corporate data. But they often are the most resistant to training because of their schedules and because many rely too heavily on the IT department's ability to protect their network. In fact, there is an attack vector - or a path that an attacker takes to access cybersecurity vulnerabilities - called whaling that's specifically for these high-value corporate executives.

Each staff level might receive different explanations and training based on the data they are expected to protect and the types of attacks that would target their information. For example, human-resources employees could have training that includes how to check résumés before introducing them to corporate databases. Finance staff could get advanced training on recognizing potentially invalid invoices or payment instructions.

Through ongoing training and practice, employees and managers gain the muscle memory to spot a possible threat and report it. While training has a financial cost, it's less expensive than recovering from a breach or paying a multimillion-dollar ransom.

The best way to accomplish these goals is to provide effective training not only to staff and line managers but to corporate executives.

"Cybersecurity is a responsibility for everyone in an organization - from the head of the board of directors to newly hired employees and interns," says Leo Simonovich, the vice president and global head of industrial cybersecurity at Siemens Energy. "Every employee, vendor, and customer has a role to play."

READ MORE ARTICLES ON



Popular Right Now



Advertisement