While the scam of someone masquerading as a prince is typically used only as a pop culture reference in this day and age, it is a prime example of an early version of an online scam which led to the extortion of millions of pounds. Today, modern scams are harder to spot and instead are disguised as brands that you interact with every day. With effective security awareness training, you can feel confident that your employees can carry out their day to day tasks without harming your business.
A successful cyber-attack can cause financial loss, operational disruption, reputational damage, loss of customers and GDPR fines. Some small businesses unfortunately do not recover from the impact of an attack and close their doors. With so much at stake, businesses often do not know where to start. As a trusted partner to the NEBRC, Data Connect often see these challenges and pressures facing new customers. However, by taking a holistic approach to security awareness training, businesses can benefit and improve their cyber resilience.
How to Get Started:
With security awareness training, it is important to remember that it isn’t just an ‘IT issue’, which is often a common misconception that we see. By taking the holistic and strategic approach within your business, you can effectively implement all the necessary training and include awareness training. Some examples of other training are new employee training, employees expanding on current duties or for regulation purposes.
Getting The Right Balance
One aspect that needs to be taken into account though is that employees can be overtrained which leads to disengagement and fatigue. To help overcome disengagement and fatigue, here are Data Connect’s tips on effectively planning security awareness training:
- Tailored Training- The Cyber Security training plan needs to incorporate the idea that different roles will require different training. Some employees may learn about certain topics to which other workers do not need to know. Thus, by focusing on each specific duty, it will reduce the potential of employee fatigue by limiting the chances of over training on irrelevant topics. For example, a delivery driver would not need identical security training as a receptionist who uses a computer all day. As an example, here is a basic list of topics that could be covered in training: email security, smishing (text messages scams) and vishing (voice/phone calls phishing), social media scams, password security, human error/internal breaches (such as attaching wrong files or sending to an incorrect person).
- Flexible Planning- Cyber security is forever evolving with new threats and trends constantly emerging. Flexible planning incorporates the idea that training will be reviewed in alignment with current affairs as well as employee feedback. An example being that at the start of the pandemic, Covid-19 scams started circulating to play on societal fear. Without the right experience or knowledge, it can often be hard to keep on top of current trends for planning purposes which leads to training becoming outdated. To keep up to date, there are multiple trusted sources that will keep you updated such as the NEBRC, NCSC and trusted partners.
- Spark Engagement – Training should utilise a range of formats to ensure content is engaging and easy to understand. The most successful measures include the inclusion of interactive content, images, diagrams and videos.
- Communication and Encouragement- Create an open line of communication between employees and employers, in which employees feel comfortable in asking questions revolving around cyber security. By creating a culture of openness around security, it eliminates employee’s fear of reporting human error and suspicious activities. Thus, helping you respond if there are any security or data breach issues that need attention. This links back to how security awareness training isn’t just an IT issue, all management must be on board.
- Testing- Arrange for tests on employees such as sending phishing emails (phishing simulations). This is to measure the effectiveness of Cyber Security training and highlight any areas of concern. Employees can feel intimidated by these actions but by implementing the above tip, this should not be the case. With testing, you will be able to identify employees that need extra training or if the current training programme is effective.
Your Options: In-House or External Training
Businesses can often feel frustrated when implementing a new awareness training framework as there are a lot of variations that need to be considered. Getting this planning right and continuing the testing is fundamental. Though, by following the above tips, we hope to make implementation simpler in-house. Some organisations choose to seek out assistance with their awareness training due to the benefits of working with cyber security specialists. Some of the benefits include access to security tools, experience with current security trends, analysis reports and external verification.
The NEBRC is available to help organisations with awareness training. They focus on helping organisations who currently have little or no cyber security/technical knowledge. The content is delivered through small, concise and tailored modules and use real world situations as examples. If you are interested in outsourcing your awareness training after the initial NEBRC sessions, Data Connect is on hand to continue building a bespoke training programme with you.
If you have any further awareness training questions, please get in touch with the NEBRC or our team. Get in touch with the NEBRC by emailing [email protected] or sign up to our free core membership to keep up to date with the latest cyber security matters and keep your business safe online.