Cyber attacks on UK plc are becoming ever more prevalent, yet most employers appear reluctant to provide their staff with training in the latest IT security principles and practices. According to the government’s 2023 Cyber Security Breaches Survey report, published in April, only 18% of businesses said that they’d organised such tuition for their employees over the preceding 12 months.
How should firms looking to redress that shortcoming go about providing an effective training programme? Three experienced chief information security officers share their advice on this key element of cybersecurity best practice.
Training should be tailored to specific cyber risks in each learner’s role, monitored and regularly updated, according to McGladrey, whose company provides a platform offering risk, security and compliance assurance.
For instance, “while all employees should be made aware of phishing techniques, specialised training in, say, incident-handling procedures should be delivered to the incident-response team only”, he explains. “Similarly, organisations should provide training only if it’s intended to reduce a specific risk, as it’s unreasonable to expect employees to become knowledgeable about every possible topic in this field.”
McGladrey adds that employers “should provide annual training at the very minimum, supplemented by micro-training modules after policy violations or incidents”.
While a firm’s CISO and their team will typically lead the training, there are other options. These include engaging external expertise such as dedicated cybersecurity consultancies or a virtual CISO to develop a tailored programme.
Designing and delivering well-targeted courses is only half the battle for firms seeking to improve employee awareness. It’s vital to assess the effectiveness of these interventions to ensure that they’re having the desired effect.
It’s unreasonable to expect employees to become knowledgeable about every possible topic in this field
McGladrey suggests that, instead of relying solely on the training provider’s dashboard for evaluating uptake, internal compliance teams should gather and assess evidence of effectiveness independently.
“This enables organisations to show their leadership teams the effectiveness of their training in mitigating the risks,” he says.
His company automatically monitors progress in KnowBe4, a popular cybersecurity training platform.
“A KnowBe4 module on phishing completed by 95% of staff within a month, for instance, is more impactful than one with only 50% adoption in reducing that risk,” McGladrey says. “This also removes the need for the second line of defence to manually request and verify training completion.”
Third-party verification will also enable boards of plcs to describe their cybersecurity training controls in line with regulatory requirements. McGladrey notes that this can also be used alongside evidence of other cybersecurity control operations to negotiate favourable premiums with insurers.
He adds that employers “must regularly update their training, at least annually, based on employee feedback, adoption rates and risks exceeding agreed tolerance levels”.
Training must recognise the pivotal role of employee behaviour in keeping the cybercriminals at bay, stresses Nigro, who is also a board director at the Information Systems Audit and Control Association (ISACA).
“This involves setting clear security objectives, conducting risk assessments and understanding employees’ knowledge gaps,” she says, adding that courses need to be engaging and use different formats, such as live sessions and interactive modules, while avoiding technical jargon.
The examples they cite should be “real-world scenarios that help to illustrate consequences of lapses and emphasise the importance of best practice”.
Emphasising the unique considerations associated with mobile device security helps to mitigate those risks
Programmes should be structured to incorporate ongoing training and updates with the aim of embedding cybersecurity into an enterprise’s culture, adds Nigro, who likes to see courses that involve senior leaders and highlight exemplary practice.
She believes that the overriding goal of such interventions should be to empower people, because encouraging “openness and transparency helps to create a culture in which employees feel comfortable reporting potential threats”.
Because the use of mobile devices for work purposes has become so prevalent, it’s become vital to incorporate specialised training with specific guidance on securing this equipment, Nigro stresses.
Given the ubiquity of mobile devices in professional settings, “addressing their security is paramount in fortifying a company’s overall resilience”, she says. By providing targeted training on securing mobile devices, the organisation can mitigate the risks associated with their particular set of vulnerabilities.
“Emphasising the unique considerations associated with mobile device security helps to mitigate those risks, ensure a more robust defence and strengthen an organisation’s overall cybersecurity posture,” Nigro adds.
Having educated hundreds of people in cybersecurity principles and practices, Green is convinced that such training must not be treated as a single standalone intervention.
Rather, it needs to be an “ongoing process that includes regular updates, drills and discussions on the evolving threat landscape. The goal should be to build a risk-aware mindset across the organisation,” he says. “Regular engagement is key to making that happen.”
Green, who also creates academic programmes in cybersecurity at the University of British Columbia, recommends that employers take advantage of the free or low-cost frameworks offered by industry groups such as the ISACA or the US National Institute of Standards and Technology. In the UK, there are government resources such as the National Cyber Security Centre’s online training platform.
“These resources, including user-friendly infographics, can be shared to keep the subject near the top of everyone’s minds,” Green says. “HR and/or privacy teams can lead the way in making cybersecurity training part of the overall employee development process.”
HR and/or privacy teams can lead the way in making cybersecurity training part of the overall employee development process
A firm believer in the value of regular refresher sessions, he stresses the usefulness of activities such as ‘lunch and learn’ seminars and discussions about the latest cyber incidents to hit the headlines.
IT teams also need to run regular exercises such as phishing simulations, which help employees to get better at spotting and handling such threats. The idea is that cybersecurity becomes part of a company’s daily operations as well as its culture.
Last but not least, senior leaders have a vital role to play in promoting the importance of effective security practices, as Green explains.
“Their involvement will show everyone in the organisation how important this subject is,” he says. “This can only help to create a culture in which everyone takes cybersecurity – and their contribution to it – seriously.”
