In immensely networked systems, organizations cannot protect confidentiality, integrity and availability of data without implementing an effective and reliable security training program. According to a Kaspersky Lab report, more than 46 percent of cybersecurity incidents are due to human error and enterprises suffer multimillion-dollar losses owing to information security disasters by employees. For example, uninformed staffs can harm a secure network by responding to phishing emails, visiting web pages infected with a malware program or storing their confidential information in an insecure storage location.
To prevent staff-related incidents, organizations must implement a viable cyber-security training program for its employees, across functions. To our experience, the ideal program is a layered training program that will inspire and enable the staff to adopt effective cybersecurity habits.
How to plan a cybersecurity training program?
The program may be planned in stages across six months. It may have the following objectives:
Measure – To prove your training program is driving cybersecurity awareness and behaviour change, first measure your organization’s current risk level.
Introduce - Before diving into training, introduce your program and help employees understand what to expect in the coming months.
Prepare - Gather and review all training materials and decide how to display and deliver the supplemental resources.
Deliver- Select your training session, schedule your campaigns and launch the training session.
Analyse - How are your staff responding to training and simulations? How does your data compare to your baseline metrics? Check your data and make changes if necessary.
What does a comprehensive program kit look like?
Program Notification Mails that maintains an imagery and slogan to brand the program
Information Security Training Modules that are technical
Supplementary Training Modules on industry, regulation, compliance et al
Assessments to test staff knowledge and evaluate learning
Simulations like phishing templates to test staff behaviour change
Posters and Infographics that can be put up in high visibility locations to extend the campaign
Digital banners themed around the program to company intranet or newsletter
Lets talk a bit on the session content.
Introduction - Talk about hackers, cybersecurity and why it pays to keep a good head on your shoulders.
Phishing - Learn how to spot the bait, guide them through the dangers of phishing. Is this actually a very exciting email from the boss, or is it just another hacker’s trap?
Password Security - A system is only as secure as its password. Guide them in creating a strong password, because security is not as easy as 1-2-3.
Safe browsing - It’s a jungle in there. Explore the winding paths of the internet and venture into thorny areas like fake browser warnings, HTTPS and dangerous URLs.
Mobile Security - Explore the ups and downs of phone security. What is encryption? What kind of damage could a stolen phone do? Learn how to take security with you wherever you go.
Social Engineering - Some hackers don’t need computers at all. Explore the dirty business of social engineering — when all it takes is a lie to crack open a company.
Malware - Trojan horses, worms, RATs — Explore the best ways to keep malware from migrating into your system.
Physical Security – Talk about why do you secure everything (even the printer), and what could someone get by sneaking in? Here’s how not to leave security out in the cold.
Work from Home - Sometimes, trouble follows you home. Explore the dangers of working remotely — from password cracks to malware attacks.
Removable Media - Can a thumb drive topple a company? Check out the dangers of removable media — the good, the bait and the ugly.
Host of others – Educate them on clean desk policy, right BYOD usage, social networking perils, email scams and hoaxes.
Employees play a crucial role in running a successful business. An untrained and negligent staff can put your enterprise in danger of multiple data breaches. Therefore, organizations must adopt a viable security training program that should encompass the essential guidelines needed to thwart imminent cyber-incidents.