- Co-founder and director at Port443, Tony Walt, has shared some helpful tips regarding what works and what doesn’t when it comes to cybersecurity training for businesses.
- What is clear is that investing in cybersecurity awareness and training is vital for businesses of all sizes.
- With new threats constantly coming to the fore, informed employees may be able to more easily spot attacks before they happen.
As we written countless times before – cybersecurity awareness, education and training is vital for all businesses. While we and many others make it their business to know what threats lurk on the internet and how to avoid them, others simply don’t care and one can’t force them to.
This goes for employees where the focus is largely on the job at hand and not how cybercriminals are using AI to craft more believable phishing scripts or how their CPU may be responsible for leaking information to an attacker. It’s the job of the company then to inform employees of the dangers and risks they could face.
“Staff training is essential for cultivating cybersecurity awareness. Employees must understand that posting even ‘non-sensitive’ personal information can lead to identity theft. It also potentially exposes their work passwords and puts their employers at risk,” explains Tony Walt, co-founder and director of Port443, a local cybersecurity software development firm.
However, training can be about as much as watching the rain descend on a freshly painted roof so it matters how a company chooses to approach it.
To that end, Walt has a few insights into what works and what doesn’t when it comes to training.
Perhaps the insight that jumps out at us first is creating an environment that encourages and celebrates incident reporting. Should employee fall prey to a phishing attack they should be able to report it without fear of being fired. Cybercriminals spend all of their time crafting attacks and blaming an accountant for responding to a believable email is unfair.
“Your staff need to know they will be supported when they report an incident. This helps to ensure prompt action, and minimises damage,” explains Walt.
Of course prevention is better than cure and this is why ongoing, targeted training is essential. One way to identify what areas need attention is by conducting simulated attacks to determine where weak points are. Simulated attacks can also be used to measure how effective training has been.
In addition, Walt recommends gamifying and role-playing in training as the can enhance engagement while making learning for fun and memorable.
“More importantly, role-playing helps staff to practise appropriate responses in a controlled environment,” says Walt.
As for what doesn’t work, avoid lecture-style training with death-by-PowerPoint presentations.
“Do everything in your power to make training fun. Otherwise you’re diminishing your people’s ability to retain information and apply it in practical situations,” says the Port443 director.
The worst thing you can do is assume is cybersecurity training and awareness is a once-off investment. The threat landscape changes constantly and as such new attacks, attack vectors, malware and other operations are always coming to the fore.
There are many companies that offer cybersecurity training programmes conducted by experts for businesses of all sizes.
As the adage goes, it’s not a question of if your business is going to be attacked, but when. Training goes a long way to mitigate the damage of potential attacks and breaches which can cost R49.45 million on average according to IBM Security.
[Image – CC 0 Pixabay]
