Tips for Creating a Cybersecurity Training Program
Cybersecurity training as an extension of your safety training
We talk about creating a safe work environment for our employees. Safety from discrimination and harassment, and physical safety when working with electricity, forklifts, and hazardous materials. Cybersecurity training is not only about protecting the company’s data and systems, it’s also about protecting employees from identity theft, malware, and hackers.
Your employees need to be a human firewall for the systems and data your organization holds. As with many training topics, cybersecurity training is not a one-time event. The content needs to be reinforced and reviewed. Technology evolves quickly and so do the cyber criminals, so your training needs to evolve too.
Think about these cyber scenarios:
- An employee checks their personal email from their work computer in their office. They click on an unsafe email attachment that launches malware. On their work computer. Behind your firewall.
- A salesperson’s flight is delayed and they work on their corporate laptop in the frequent-flier lounge on the free wifi. They leave their laptop unattended and unlocked while they use the restroom.
- An executive goes out to lunch and they set their company-supplied mobile phone on the edge of the table in a busy restaurant and they don’t notice when the thief walks off with the phone.
Cybersecurity training is for everyone
All employees need to be trained in cybersecurity, not just your IT department. Different jobs have different risks. It’s much more than the obvious firewall and antivirus software, it’s part of risk management. Most successful attacks are the result of unintentional employee negligence. It’s critical to create policies, processes and training on cybersecurity. Train your employees to be vigilant. Protect your business and your assets. Help your employees protect their personal information.
Your IT department already has procedures in place to protect your network, software, and hardware. But what about the rest of the employees? Most would never purposely put the company at risk. It’s too easy for someone to inadvertently click on an urgent email that looks like it came from their bank to alert them about a problem with their account.
We offer a course that you may find helpful: “Creating a Cybersecurity Training Program.” Here are a few tips:
What do they need to know? Your cybersecurity training should cover topics like:
- Email phishing
- Identity theft
- Social engineering
How frequently do employees need to be trained? How frequently do they need to be reminded or have the content reinforced? If you don’t have any cybersecurity training in place, the timing is immediate. We suggest training reinforcement be delivered on a regular basis. Ours is delivered two days, two weeks, two months, and four months after the initial training event. We also update our courses on a regular basis. As technology changes, criminals change their approach, so your training needs to keep up.
Videos like ours can be easily deployed to all employees via your LMS (we are SCORM compliant) or you can use our learning management system.
You might also consider instructor-led courses so you can immediately answer questions and run through real-life examples. Our videos could be used as pre-work, shown during the class, or used as reinforcement.
Some companies add this content to their internal newsletters, intranet, or send email reminders. Other clients have created printed collateral and posters for common areas that hang alongside the Federal or State Labor Law posters that cover discrimination, harassment, equal pay, etc.
The training process will be different for various departments, groups, roles, and individuals. Your IT department will help with foundational components such as the frequency for updating passwords, anti-virus software, regular back-ups, etc.
IT may suggest additional policies regarding:
- Inventory of company equipment such as laptops, phones, tablets.
- Guidelines for accessing public wifi networks when working remotely.
- ID badge access for office buildings and departments that house sensitive equipment and data.
- Saving personal files, images, and data on company equipment.
- Saving work files on an external thumb drive.
- And more.
The point of this post is not to overwhelm you but to give you some insights into creating your plan. Most companies have the basics in place with IT, but few companies train all employees on things like email phishing, malware, and social engineering.