|Printable version||E-mail this to a friend|
Cyber awareness learning is “horses for courses”
Blog posted by: Ian Davies – Deputy Chairman of BMT Group and Senior Independent Director at the Institute of Chartered Accountants in England and Wales, 21 September 2016.
Different people respond differently to a variety of types and styles of cyber awareness training. With people being the crucial early warning system in a company’s defences against cyber-attack, Ian Davies considers why boards need to understand that a one-size-fits-all approach to cyber awareness learning and training is not going to reduce cyber risk sufficiently for them to have confidence in “people power”.
The quality of cyber awareness training in UK companies varies considerably, from those buying an off-the-shelf package through to expensive, specialist briefings.
Though not every company needs – as one PLC I know – to have cyber awareness training for 30 minutes every board meeting, it’s equally not good to employ annual “sheep dip training” because everyone in a company is at a different level of understanding and capability. There is a tendency to “tick a box” for cyber awareness training and while doing a basic course is better than nothing, doing it once a year has little impact.
Another issue is employee engagement: if you able to empower employees to undergo training most suited to them, they might buy into it more readily. Alas, when there’s economic pressure on businesses training gets cut and “nice to have” learning like cyber awareness can get pushed back. But with the increasing threat from cyber-crime, I urge companies, especially boards of directors, to take a different view: be better aware of the overall risks to your organization and ensure staff are armed to tackle cyber risk. This will protect the company by reducing the risk profile and enhance shareholder value.
An ideal approach to cyber awareness learning
So what is the best scenario for improving an organization’s cyber awareness?
For directors, a cyber-attack simulation exercise with a facilitator is an excellent starting point for raising awareness and developing the capability to respond and recover from an attack.
People working in the finance team should be trained to identify digital communications that just don’t look right, such as an email purporting to be from the CEO which is either unexpected or has attachments and links that looks strange. That means a mix of training including formal classroom activity alongside more subconsciously effective methods such as storytelling - as in AXELOS’ Whaling for Beginners, the fictional account of a cyber-attack on a CEO. Equally, visual media can tell a memorable story, such as the film False Assurance which has been licensed by all four big accounting firms, and many leading law firms, to show their staff.
Most front line staff in an organization would benefit from cyber awareness training both “little and often” and the training must recognize differences between those working at a desktop computer provided by the company and those who bring their own devices to work or operate remotely.
One company I know provides training focused on staff not opening unusual, suspicious attachments. The month following the training, staff receive a planned bogus email as part of the training exercise to see how many people open it and why. Though it’s treated as a training exercise with an amnesty first time, the company reminds people that their action was, technically, a breach of company policy and possibly constitutes a disciplinary offence under their contract of employment. That certainly focuses people’s minds.
And while many companies still trust their cyber security to technology, they must realize that people are their strongest asset for cyber resilience, if properly trained. It needs a human brain to read an email and assess whether the contents are suspect. Despite improving algorithms, most software can’t be sceptical in the same way as humans can, but the majority of companies fail to recognize this.
See our RESILIA™ section for more information about cyber resilience.
Read previous AXELOS blogs by Ian Davies
Latest News from
The IT Service Management Professional in 2030: A future full of opportunities07/12/2016 09:20:00
A major new study* examining how the IT service management (ITSM) industry will look in 2030 shows a high level of optimism for the future as service management frameworks become applied across organizations in support of a wider adoption of technology.
Project managers predict a bright future for the profession06/12/2016 14:25:00
Project managers are confident about the future of their profession and predict that project management will become a business skill that everybody uses, according to a major new study* examining how the profession will look in 2030.
Why should businesses do CSI?05/12/2016 15:37:00
Blog posted by: Adam McCullough, Senior Project Manager, Phacil, 02 December 2016.
What is configuration management and what we can learn from a fridge freezer?01/12/2016 09:20:00
Blog posted by: Richard Josey, The Thebes Group, 30 November 2016.