As part of creating a strong cybersecurity compliance program, companies need to incorporate employee security training. However, data shows that the phishing training for employees most organizations use does not protect against cybercriminal attacks. Creating a strong employee cybersecurity training program requires moving from awareness to actionable steps while also incorporating measurements that validate the program’s effectiveness.

Start with the Vocabulary of Cybersecurity

From the c-suite down to the new hire, employees struggle with the vocabulary of cybersecurity. Many people find themselves overwhelmed by technical terms or assume that they need computer programming skills to understand cybersecurity.

Starting with a fundamental shared vocabulary helps address this problem. For example:

• Cybercriminal: someone who uses technology to engage in illegal activities
• Dark Web: a type of internet that provides information that traditional browsers like Chrome, Internet Explorer, and Firefox can’t find
• Encryption: disguising information so that even if someone obtains it, they cannot read it
• Exfiltration: getting access to digital locations and removing information from the inside
• Firewall: a digital wall that keeps cybercriminals from getting into systems, software, and networks
• Multi-factor Authentication: Using a password that you know along with either a code sent to a device that you own (such as a text to a smartphone) or something unique to who you are (such as a fingerprint).
  

Creating a basic vocabulary in everyday terms brings people together and reduces feelings of inadequacy. On a fundamental level, cybersecurity is not difficult. Businesses need to create meaningful cybersecurity awareness.

Build on Employee Security Awareness

Awareness means recognizing a problem exists. Most employees are aware of cybersecurity risks such as phishing or password hygiene. However, both problems continue to cause data breaches.

Once training creates awareness, it needs to move into understanding. For example, after defining cybercriminal, the training needs to explain the types of illegal activities that occur.

• Cybercriminals do not sit at computers typing all day in hoodies the way television shows and movies portray them. They often purchase software or code that allows them to break firewalls.
• Cybercriminals use specialized internet browsers that allow them to access forums and resources on the dark web. These forums and resources can be viewed as criminal social media.
  

Starting with the terms defined in the vocabulary lessons, effective cybersecurity training in the workplace  explains what happens using those terms. As employees move through the training, they internalize the what and how to think more deeply about the information.

Enable Employees to Make Connections

Once employees are aware and able to understand how cybercriminals operate, the training needs to help them make connections.

Most employees, for example, know that they need to have strong passwords because the company’s tools force them to do it. However, they may not understand how password strength and multi-factor authentication keep cybercriminals from obtaining information. However, to do this, the training needs to ask open-ended questions that force employees to think on their own.

• Cybercriminals use computer programs that they purchased on dark web forums to guess at login and password information.
• These programs use similar math to programs that suggest passwords.
• Why do you think that you need to create a personal password?
• Why do you think that multi-factor authentication helps protect from cybercriminals?
  

Once employees make connections on their own, they start to better understand why the company has policies and are more likely to do a better job of following them purposefully.

Empower Employees to be Cyber Secure

Most employees want to do their jobs appropriately and stay employed. However, they may not always have the right tools for maintaining cybersecurity within the organization.

Education leads to empowerment. Employees need knowledge as well as the tools to make better decisions. Training needs to be attainable and actionable. As organizations add more Software-as-a-Service (SaaS) applications that allow collaboration and remote work, they force employees to create more passwords. Since most people fear they will forget passwords, they either reuse them or create weak passwords.

Empowering employees can mean using a single-sign-on that allows them to use a single password for all applications. It can also mean providing them with a password manager. For example, if they make the connection between weak passwords, multi-factor authentication, and cybercriminal data exfiltration, they will be more likely to want to engage in cyber secure behaviors. However, the training is not attainable if they cannot act on it. If they need to create a separate password for each application that they need or store it themselves, they will not be empowered to act on the training. Thus, cybersecurity training remains ineffective.

Measure the Outcomes

Training needs to be measurable to prove governance over the company’s cybersecurity program. However, metrics need to provide visibility into the training’s effectiveness and need to do more than prove that employees have answered multiple-choice questions correctly.

• Require a minimum score to complete the training
• Offer more than one training on the same topic
• Provide open-ended training opportunities that focus on real-world examples
• Review security metrics to determine whether employees are acting on the training or going through the motions
  

The bare minimum cybersecurity program requirements often come with online training to ease organizational burdens. These provide the fundamental vocabulary and information. However, companies need to go beyond the basics to build knowledge, make connections, and empower employee security. Thus, a single phishing training for employees done online may not protect the organization from a data breach because it provided information while lacking the ability to build knowledge and make connections.

Moreover, compliance requires more than documenting an activity. To comply with increasingly strict governmental and industry standard requirements, companies need to prove that the training effectively mitigates risk and document governance over those controls. Comparing the results of multiple training sessions provide metrics that show learning and growth. Increased overall scores provide insight into how well employees are internalizing the information.

Zeguro to Identify Threats & Train Employees

At Zeguro, we understand people and businesses. A security-first approach to cybersecurity starts with people - employees and business owners. We provide metrics that help identify risks, create policies, train employees, and monitor control effectiveness. Get a risk-free 30-day trial of Zeguro's cybersecurity training software plus our full cybersecurity suite.