Why cybersecurity training needs a post-pandemic overhaul
COVID-19 may have ushered in the rise of remote work (either temporarily or permanently) but not all organizations were prepared to manage a fully remote workforce and the cybersecurity challenges that come with it.
Protecting information assets against threats and attacks can prove more difficult when all or half of your workforce is working remotely; being consistently proactive about it requires a level of cybersecurity-maturity very few companies have achieved. When McKinsey assessed the cybersecurity-maturity level of more than 100 companies and institutions in a number of industry sectors earlier this year, 70% of the organizations were found to be vulnerable against threats and attacks.
While information cybersecurity depends on many different aspects, companies should realize that their employees are the first line of defense and invest in cybersecurity awareness. Unfortunately, cybersecurity training still seems to be low on most employees’ priority list. According to a recent TalentLMS survey on the state of cybersecurity training, 61% of employees who took cybersecurity training failed a basic test.
The truth is that the average employee’s knowledge of cybersecurity threats and best practices is limited. Offering perfunctory cybersecurity training just to tick a box does not help employees build healthier habits and leaves companies exposed to cyberattacks and phishing scams.
But what is about the way most companies currently conduct their cybersecurity training that doesn’t work? And how can organizations effectively engage today’s employees in cybersecurity training to reduce instances of cyberattacks?
Three reasons cybersecurity training turns employees off
Over-emphasis on technical language
Unless you’re training tech workers, there really is no reason to overwhelm your learners with industry jargon. The average employee will struggle with an overly technical language and may end up missing the point of the training entirely while trying to memorize complicated terms. Cybersecurity training materials should be written in layman’s terms. An accessible training language is the first step in making any kind of training stick.
Inability to connect everyday scenarios
Another unfortunate side-effect of relying too heavily on industry jargon during training is that makes the average employee unable to see how this training could relate to their daily job operations. When your training materials are abstract or don’t incorporate real-life scenarios, they can be more easily disregarded as something that employees probably won’t have to deal with. However, this could not be further from the truth, especially with the rise of remote and hybrid working.
In fact, according to Tanium, 90% of companies faced an increase in cyberattacks due to COVID-19, making cybersecurity training more critical than ever.
A false sense of security
How do these increased cyberattacks take place? CISA’s report issued earlier this year mentions poor cyber hygiene practices within a victims’ cloud services configuration. Unfortunately, many employees are not aware of their poor cyber hygiene practices. And therein lies another reason your current cybersecurity training is not hitting the mark: employees believe they already know everything there is to know.
Data from the aforementioned survey paints a clear, if unfortunate picture: 74% of respondents who answered every single question on a simple cybersecurity test incorrectly report feeling safe from cyber threats. This false sense of security is, of course, very dangerous.
Three ways to make training more engaging and effective
Focus on the “how” not just on the “what”
When it comes to any kind of training, we’ve found that the right content delivery can make or break your course. Creating training materials that are engaging and use accessible language won’t have the desired effect if you deliver them to your employees via a printed leaflet they can easily disregard or lengthy PDFs they will struggle to read.
What kind of content delivery is optimal? The answer will vary depending on each employee’s learning style (more of that below) but, overall, there seems to be a clear preference for visual learning and interactivity. According to research from TalentLMS that surveyed tech employees across industries, 71% of respondents prefer learning through videos, while 58% prefer learning through seminars and conferences.
Add gamification and simulations
Gamification elements should not be disregarded as “less serious.” Incorporating elements of play helps human brains engage with, store and digest information better, maximizing the chances of success for your cybersecurity training program. You can use anything from quizzes, avatars and leaderboards or simply badges they can share with coworkers after completing the course.
And as we’ve already seen, incorporating real cases into training materials can help employees feel like what they’re learning is relatable to their everyday lives. For example, using real phishing emails or creating simulated cybersecurity threats to test how employees respond will be much more effective in terms of teaching your employees better cybersecurity hygiene habits.
Cater to all learning styles
Some employees learn better by reading, some by watching videos, and some by doing. While catering to all learning styles may sound like a challenge, an effective cybersecurity training should offer a mix of different content delivery options. Even if your primary training content delivery is videos, for instance, incorporating different elements into them (for example, captions paired with hands-on tasks) can help engage all types of learners in training materials.
Another thing you should consider is offering certifications and prizes: Some employees are results-driven and working towards a more “tangible” goal will be motivating for them. By offering them incentives when they finish a course or achieve a certain training milestone, you are increasing the likelihood of your employees staying engaged and present through the course.
In today’s complex work environment, providing employees with adequate and effective cybersecurity training is vital to an organization’s security and digital health. However, employees need to remain engaged throughout the process for the training to really make a difference. By using accessible language, attending to different learning styles, and providing interactive courses that incorporate real-life scenarios and gamification elements, companies can keep their employees and their personal information safe.