One aspect of cyber security we see at IXCG more than any other is the fact that an organisation’s staff are often far better at getting around any security systems which have been put in place than any hacker.
There are many reasons for this; staff work around the security systems daily, badly thought out systems can impact their ability to work so they seek out ways to lessen this impact and that many staff don’t give security a second thought. However, these reasons are why cyber criminals will often target the staff, rather than systems directly, by impersonating customers, officials or senior members of the
Attackers know that staff are busy, keen to assist and often don’t understand many of the risks of cyber security, which makes them easy to manipulate. This means that a well crafted email, document or even a telephone call can trick staff to give away critical information or even provide an attacker a way into a well protected system. This is the reason why staff cyber security training is so important.
So why isn’t cyber security training more widespread in organisations? There are three main reasons why this vital training is overlooked:
- It’s not well known by senior management – Cyber security training is a relatively new way of helping tacking cyber crime and it’s often not known about by decision makers, or not fully understood.
- The price can be off-putting – Training is, traditionally, quite expensive both in terms of the cost of the training and the time that staff must devote to it. Most modern cyber security training is modelled on the “as a service” model, meaning that it it billed on an on going, per user basis. With training typically a few pounds per user, per month, it is considerably cheaper than most people suspect and often works out a fraction of a security breach.
- Training time will impact staff productivity – Staff training will require staff to invest some time in taking part in the training, which will mean time away from their work and lost productivity. However, modern cyber security training tries to minimise the impact of the training, offering it in small chunks, via mobile phone apps or by continually assessing users and providing help when they make a mistake. This means that the training is provided around their daily work in an ongoing basis, so what they learn becomes part of their daily routine.
Providing training can bring considerable benefits, however:
- Reduced chance of compliance breach – All organisations are obliged to protect personal and financial data and heavy fines can be levied against offenders. In addition, organisations who suffer a breach, must declare to affected customers that their data has been lost. This can be extremely expensive and damaging, dwarfing the cost of supplying staff with training.
- Improved client confidence – Clients are becoming more and more security savvy, and many are now insisting on staff training as a prerequisite for contract bidding processes.
- Improved staff morale – If staff are confident in their work they are happier, and happier staff are more productive. Skills learned on the job can be applied to the home environment to ensure that children and grandchildren are kept safe.
Getting the right solution for your organisation
If training is so important and affordable, why are there so many training packages and solutions? The simple answer is that there is no one package which meets every organisation’s needs. Finding the right package is vital as staff may not engage with one which doesn’t meet the way they work.
Generally speaking, there are three main types of training package:
- One off training. This can be instructor lead or self paced and comprises of a course which staff follow, which often leads to a certification. This has the advantage of providing a large “chunk” of knowledge in a single, easy to arrange package, but requires staff to be away from their work for the training, and staff won’t be updated with new threats as they evolve.
- Continuous testing and training. This system works by providing staff with training and then testing them on an ongoing basis and providing additional training if they fail a test. This system has the advantage of working around your staff’s normal duties and ensuring that their skills are kept up to date. However, ensuring that staff actually take their training requires either HR or line manager involvement and some staff react badly to being tested (as some see it as you trying to catch them out).
- Continuous training. This works in a similar manner as continuous testing and training, but omits the testing and replacing it with a small bit of regular training instead. The advantage of this system is that there is no testing, which makes it more palatable to many members of staff, relying on selling the benefits of cyber security to them. The limitation of this method is that it relies on an organisation developing a culture of valuing cyber security, so staff take it seriously and regularly take part the training.
How do you find the right solution? That is a less easy question to answer, and depends on your organisation, your staff and the culture you have.
Breadth of training provides a breath of protection
Many training providers supply a wide range of courses, covering compliance, local laws and regulations and money handling as well as cyber security. By providing a broad range of skills, your staff will be better skilled to avoid a wide range of financial, legal and data extraction scams, many of which are used in addition to traditional cyber security attacks.
The importance of staff training can not be over stated, yet this critical protection is often overlooked by businesses despite it being one of the most cost-effective methods of protection. IXCG provides training from leading training providers Layer 8 and KnowBe4 as well as providing customised assessments and plans.