In today’s blog, we sought the viewpoint of your everyday user. We pride ourselves on being an employee-centric security awareness training provider, so what better opinion than the exact people we’re all trying to help.
Who knows, we might make this a regular thing.
You, your computer and your awareness
I’m an ordinary, everyday employee within my organisation. And, I use computers at work – a lot.
We probably all do, these days. It’s nearly impossible to communicate without them, and it’s hard to keep up with how fast this kind of technology changes.
Throughout my working life – and computers have been ubiquitous throughout… I’m not that old – I’ve noticed a trend; when I first started work there wasn’t any kind of training on the dos and don’ts of using IT at work. Gradually, and I presume because of problems that were cropping up in real life, some training emerged around what you could call ‘computer etiquette’; don’t send dodgy pictures on work computers, basically. Don’t look at any websites you wouldn’t want your boss to see you looking at.
We know now, of course, that wherever there’s a channel for communication, someone out there will try and use that to get money, or to create some kind of mischief.
When did you first come aware of security awareness training?
I think employers learnt from experience, theirs or others’, and started drilling cyber-security awareness into us. It seems like it’s just another of the important, practical skills for life that we didn’t learn at school. What I did learn at school, however, is that there are a few different learning styles, and so I can see how it must be difficult to present training in a way that will appeal to everyone, and really stick with them.
Do you consider security awareness training to be important, or a hindrance?
Actually, cyber-security awareness is incredibly important; you don’t have to look far to find news stories about businesses losing millions to hackers and scams, politicians leaving unencrypted laptops full of sensitive information on trains, cyber-terrorism, even attacks on hospitals or vulnerable individuals.
The really scary thing is that it seems like it’s so easy to be vulnerable to a cyber-security attack. Just a dodgy link in an email – and they can look really convincing – can be enough to shut down huge organisations. Or enough to convince someone to give away their bank details, passwords, virtual and physical access to assets.
It’s clear that security awareness training is essential, and it seems to be part of the training package for new recruits at lots of professional organisations now.
As cyber-crime is adaptive and develops as fast as new technology, there’s a need for regular updates too, added to the mandatory training catalogue. ‘Mandatory training’ elicits a little groan from everyone who hears the words, though. When it’s online training you can sometimes just click through the teaching session really fast and answer a few multiple-choice questions at the end. Job done… or is it?
There has to be a better way than training that feels like a chore, that we rush to get through and don’t really learn anything from.
What makes security awareness work for you?
It has to really stick in your head, right from the start. When just one wrong click can be catastrophic and you get to see real-life consequences. It has to be relevant to the learner, perhaps with real case studies to humanize the risks and stress the importance of cyber-security. To stress the importance, that is, but not to terrify the user.
There are some examples out there of people losing their jobs or being sued for just one click on a dodgy email, and that doesn’t really seem fair; at least, not if they didn’t get good training that helped them really understand. That idea that just one little thing can have terrible results can be scary, but it can also help the user to understand that what they do is important, and when people feel like they have importance and power – even the power to really mess things up – they’ll pay attention.
What do you think is key to employee engagement, from an end user perspective?
A lot of people- I’m talking from personal experience – can’t always really understand and learn from training in any meaningful, long-lasting way until they see examples and do it themselves, so really good cyber-security training should offer that, and make it fun.
If they can make a kind of sandbox example of a real user interface, that you can almost play through and identify risks, really gamified training, then I think that would help a lot of people learn, and help that training to stick with them.
Interactive training means you have to be focused and actually pay attention to what you’re doing, not just click through slides.
If you’re going to make it so people have to concentrate – and they do have to concentrate – then it really has to be interesting and fun, otherwise that’ll just increase the ‘groan’ factor.
And not too long; there’s only so long you can sit at a computer and learn about the mercenary attacks of faceless cyber-criminals. It’s a bit doom and gloom. Although maybe there’s something in that; it does sound like something from a comic. There ARE criminals who might attack through YOUR emails, and only YOU can stop them. A security awareness program with emphasis on the user as an important line of defence, with a feeling of respect towards the individual user’s vigilance and ability to recognise, report, and stop cyber-crime in its tracks… now THAT’s exciting.
Whilst you’re here, why not check out the trailer for our Interactive Episodes:
Looking for a security awareness training programme that your employees will want to engage in? Sign up for a free demo and find out how we’re already helping organisations just like yours.