Employee training in cyber-security needs be more than just a box-ticking exercise if SMEs are to maintain the water tightness of their organisations.
By Dave Eaton.
Current security communication, education and training (CET) is mostly delivered in the form of generic web-based training with lack lustre security quizzes – only indicating that employees have read through pages and know the answers to questions. It doesn’t mean they’ll adopt secure behaviours as they go about their daily tasks.
The lack of reliable indicators means senior management is left questioning whether security behaviour is actually followed in practice. Today, New Zealand employee’s attention is consumed with messages about health and safety, sustainability, regulation, and security. All of these are secondary activities and often end up being lost in the background noise of multiple corporate messages.
With most New Zealand businesses falling into the SME category, they need a framework for security awareness that employees will actually engage with, and empower them to become the strongest link, rather than a chink in the armour defending the organisation.
The first step is security hygiene, ensuring recommended security behaviours can be adopted by employees in a productive way. CET must be tailored to specific groups of employees, and deliver skills that are relevant to their individual tasks. It is unrealistic, and a waste of company resources, to try and mould every employee into a fully-fledged security expert.
“SMEs need a framework for security awareness that employees will actually engage with, and empower them to become the strongest link, rather than a chink in the armour defending the organisation.”
Programmes should be creative and fresh, and most crucially, adapted to regional and national cultures.
Untargeted content and unrealistic demands reduces the willingness of employees to take an active role in protecting their company’s information assets.
Depending on different needs, there are so many creative ways to improve security behaviours and culture. The secret is engaging your people in the right way, so they can convert learning into tangible action and new behaviour. The standard-bearer for this approach is the Air New Zealand safety video; an age-old topic re-invigorated by fresh approaches to keep people engaged, informed and interested.
Selling employees on a cyber-security culture
Most employees interact with information and technology that is essential to the functioning of the organisation. If they’re not able or willing to protect these assets, the organisation is at risk.
Employees should understand what to protect, why they should want to protect it, how the organisation can help them with this, and how successes and mistakes can be used as opportunities to learn and improve.
Security behaviour is largely dependent on an employees’ personal perception of risk and in New Zealand there is still the false belief that we are somewhat protected from cyber risk given our geographic location. These perceptions can be changed. An organisation’s goals, culture, and technologies can change over time, too. As the threat landscape continuously changes, security knowledge and skills among novices and even among experts needs to evolve constantly.
Most employees are not hired or remunerated for their security expertise, but for their contribution to the business. And when remuneration is linked to productivity, most employees will not adopt security behaviours that severely hamper their performance. Before mandating a security behaviour, an organisation needs to ensure that behaviour can be complied with, without routinely blocking productivity.
More than just ticking the boxes
Humans are not computers that replace an existing behaviour with a new one immediately, and not all people internalise and use skills in the same way. The expectation that behaviour will improve if users know the facts is not correct.
CET should be seen as an enabler that supports the organisation’s goals. Current approaches are far from efficient. Employee’s perception regarding the importance of security in their jobs shows SMEs need to:
- Maintain relevance – Training should be ongoing as the organisation changes and employees move into and across roles, with a focus on what is necessary for their jobs.
- Plan for learning to happen naturally – Repetition of new skills reinforces learning, but training should not overwhelm employees with information or take up excessive paid work time.
- Give thought to the overall package – A joined-up approach for communicating security awareness within the organisation provides internal consistency and measuring progress for targeting remediation activities if training is insufficient.
- Share the enthusiasm – CET should be creative, fresh, and targeted to employees’ working practices, where an interactive element further involves the individual.
This will enable your organisation to build an effective and sustainable IT security system and culture that cuts across processes, hierarchies, and roles. A clear view of the organisation, its culture, and interdependencies means security awareness can be targeted to specific groups of employees, delivering a set of security skills relevant to your company.
Dave Eaton is chief technologist for Hewlett Packard Enterprise NZ.