Anyone in the security space can agree that a solid cybersecurity policy goes a long way. But not everyone in your organization is a security expert. In fact, many employees may not know the first thing about firewalls or viruses—which is why cybersecurity employee training is such a critical matter.
Do your competitors and peers have a better cybersecurity game plan than you do? If simply answering that question seems exhausting, this guide can help.
Whether you’re researching and developing your first cybersecurity training program or simply fine-tuning your existing program, the following 13 tips will get you in the right frame of mind.
13 Cybersecurity Training Tips For Employees
1. Consider that all privacy starts with the employees. 
“Bottom line: it doesn’t matter what firewall or intrusion detection or VPN you use if your employees don’t understand the significance of data privacy and protection. No one in your organization will care about data security, privacy policies, intellectual property protection, or data breach until you tell them why it’s important, how it can impact them, and then tell them what to do to prevent it.”
Anthony R. Howard, Author & Consultant, AnthonyHoward.org
2. Focus on the ties between cybersecurity and human error.
“Cybersecurity policy and training needs to shock the employee enough to realize that human error is one of the leading causes of data breaches.Throw facts and statistics at them. Let them know that they play a huge role in the safety of the company. Verizon’s annual Data Breach Investigations Report of 2015 showed that 30% of staff-related e-mail breaches were due to sensitive information being sent to incorrect recipients for example. They need to understand that passwords should never be shared (even internally) and to know what a phishing email looks like. Employees should never connect USB drives or click a link unless they know and trust the source from which it came. Training needs to include the warning signs of a breached system. Why? Once a system is breached, it is critical to remove the threat rapidly to prevent data loss or a follow-up virus or worm.”
Kathy Powell, Marketing Manager, Tie National, LLC
3. Hit close to home.
“Get employees to focus on themselves; don’t harp just on security awareness that affects the company. Make workers understand that security is about them, too, not only the elusive bigwigs. Talk to them about the most common scams and tricks cybercriminals use, and how to protect themselves at home, with tools such as firewalls and wireless VPNs.”
Robert Siciliano, CSP, Author, & Consultant, RobertSiciliano.com
4. Don’t forget about your vendors.
“Require cybersecurity policies to apply to employees, contractors AND service providers; Companies oftentimes overlook contractors and service providers. This is a problem because we're seeing an uptick of cross-company collaboration. This means that others can literally walk away with your data.”
Rocio Baeza, Chief Information Security Officer, Jerumai.com
5. Consider a few rules your mother taught you.
- “Wash your hands: Keep your antivirus and firewalls up to date on ALL your devices—regardless of internet connectivity. Malware is everywhere today—phones are the latest target!
- Write neatly so people can understand you: Always use a personal marker on a file you send to others and never open one without one; don't just send 'scan from copier' emails within the office. Include content, date and version as a minimum. Insist others update the marker when they make a change.
- Don't talk about money to others... it's not polite: Always perform financial transactions on a secure computer, use dual authentication, and never perform banking from an open source such as an Android phone.
- Close the door—you don't live in a barn!: Make certain your home Wi-Fi and IoT [Internet of Things] devices are secure. Adopt the WPA security and have a complex password (no home address or name) for your home Wi-Fi, and make certain all your IoT (thermostats, cameras, security systems) have new passwords you provided them—not the default passwords.
- You can tell me anything… I'm your mother: If [an] email seems odd, or if you think you downloaded something you shouldn't have, tell someone! Don't hide mishaps, and if you received a bad email, someone else probably has as well.”
Jack P. Healey, CPA/CFF, CFE, CEO, Bear Hill Advisory Group
6. Ensure the frequency of your cybersecurity trainings.
“Cybersecurity training has to be provided to every employee (including C-Suite) at least twice a year. This frequency will increase awareness and allow the company a chance to update employees on how to identify the latest threats.”
Kathy Powell, Marketing Manager, Tie National, LLC
7. Make your cybersecurity training steps actionable.
“More often than not, people tend to forget what they learnt in a training class, and the same holds good for cybersecurity training unless the training program provides 1-3 practical actionable tips on what people should or should not do in specific cases. More importantly, what helps dig the tip even deeper in attendees' minds is continued follow up with brief periodic reminders of those tips.”
Sanjay Deo, President & Founder, 24By7Security, Inc.
8. Re-evaluate your program every 90 days.
“This approach has been shown to be quite effective. To avoid information overload, emphasize maybe three topics at a time over the three-month period. Then, 90 days later, see what needs to be revised, based on those three topics.”
Robert Siciliano, CSP, Author, & Consultant, RobertSiciliano.com
9. Ensure that cybersecurity training is mandatory.
“While any good cybersecurity program will contain several far-reaching policies, my one tip would be to make security training and awareness a mandatory and annual requirement for all employees. Without some background, and understanding of the issues, the weakest link in any organisation - the humans - will continue to circumvent all other policies and procedures, be they acceptable use, physical security, byod, network security or the use of shadow IT within the business.”
Lee Munson, Security Researcher, Comparitech.com
10. Be creative.
“Even if funds are scarce, you can still make the learning process more fun than drudgery. For example, give boxes of candy canes out for the holidays, but tucked inside each box enclose the company’s security policy. Employees will more likely read the policy if it comes with candy canes than if it’s simply mailed, or handed to them in the office by the boss.”
Robert Siciliano, CSP, Author, & Consultant, RobertSiciliano.com
11. Use a “three-year” strategy to improve your cybersecurity training.
“This approach makes it relevant and engaging to those receiving the training. It also lightens the load to the team developing the training materials.
- Year 1: Create a basic training for all users.
- Year 2: Segment into two (or more) groups and tailor the messaging.
- Year 3: Review Year 1 and [Year] 2 survey feedback on the material and tighten up the training to address areas needing clarification.”
Rocio Baeza, Chief Information Security Officer, www.jemurai.com
12. Recruit other departments.
“No department is too unimportant to be involved in security awareness. Get every department involved, even your housekeeping and cafeteria staffs. But especially go after your marketing, legal and human resources departments, because they’re in a position to make security awareness a requirement.”
Robert Siciliano, CSP, Author, & Consultant, RobertSiciliano.com
13. Create a privacy culture in your organization.
“Add instructions how [your employees can] protect themselves from identity theft, banking fraud, etc. and their company… from [a] cybersecurity breach. In addition to showing them that you care, you are developing a privacy culture that can be applied to business and their personal life, and at the same time protecting your profits—a benefit both you and your employees will appreciate. Once they understand what they are doing wrong, they can easily fix it. For example, when asked for information about the company from links (or personal info) from an unknown source, they should immediately slide into a realm of professional skepticism. Train them to automatically assume that the requester is a scam of some sort.”
Anthony R. Howard, Author & Consultant, AnthonyHoward.org
Want to improve your cybersecurity game plan?
As a CIO, CISO, or someone highly involved in your organization’s security space, you know you can’t outsource risk. But every year, cyber risk demands more and more time. If this problem sounds familiar, the guide below can help. Download it for free today to find out why cybersecurity benchmarking is difficult for the modern CIO, different methods of benchmarking you may be involved in (or want to consider), and how Security Ratings may solve many benchmarking challenges.
