Much has been made about the cybersecurity skills gap, and for good reason. There is a scarcity of cybersecurity professionals worldwide, which makes networks and those who depend on them—which is almost everyone—less safe. This is compounded by the fact that humans continue to be the weakest link in an organization’s cybersecurity posture. There is an insufficient number of professionals to keep networks secure, and there is a general lack of cybersecurity awareness by employees making basic mistakes that create greater cyber risk.
Clearly, employees need consistent, high-quality training on basic cybersecurity and cyber-awareness. One barrier, though, is that in today’s machine-speed business environment, it is difficult to break away from daily tasks to take part in traditional live or online training initiatives that require long blocks of time. Organizations need a new training paradigm that delivers appropriate content without disrupting business.
The traditional view of training is of people sitting in a classroom for several hours or days with an instructor or facilitator at the front of the room. Or of sitting in front of a computer working through many modules of a self-pace training course. While these methods of training can be quite effective, the field of training and education has evolved considerably over the last several years.
There are many forms of less traditional training methods that have proven to be very effective and can address challenges CISOs are facing in building a truly cyber aware workforce. Implementing many of these non-traditional techniques means that employees are away from their workplace far less (in some cases not at all) and transforms the learning experience from an isolated event where the learner “consumes training content” to a culture of continuous learning where employees are “active participants” in a more informal, social, interest-driven learning process.
There are many scientific benefits to some non-traditional training techniques such as reduction of cognitive load leaving learners feeling more engaged and increasing the levels of information retention. The scientific benefits are beyond the scope of this post, but there is no shortage of scientific data available to anyone online. Examples of non-traditional training techniques include:
Job Aids: As stated above, training doesn’t always need to be employees sitting in a classroom. There are many times when employees need to perform tasks that are exceptions to their day-to-day routine and that can be quite complicated and unfamiliar. Often these tasks can be learned far more effectively through the use of job aids. A good example of this is when an employee receives an email that could be malicious. Rather than wading through a large training manual or trying to remember the specific characteristics of malicious emails that were discussed in a previous class, an employee can reach for a job aid. This type of job aid could be as simple as a two-sided laminated sheet with one side describing the characteristics of various malicious emails and the other side with simple flow charts of what to do. This is essentially ‘Just-in-Time’ learning that will soon become second nature to the employee.
Microlearning: Microlearning is a general concept of providing relatively small chunks of learning to participants where and when it is appropriate. Microlearning content can be delivered in a variety of ways ranging from modern learning management systems (LMS) that push microlearning content to users. Or it can be through less formal means such as quizzes integrated into regular news letters or informal activities. Microlearning is an ongoing trend that meets the particular needs of today’s fast-moving organizations and their employees. While it is a general concept that applies to a number of techniques, Microlearning is best suited for skills-based learning which is quite applicable to cybersecurity skills and awareness. With the landscape changing so often, microlearning can be delivered regularly to reinforce security topics and required skills, increasing the odds of retention and compliance.
Gamification: Gamification is a technique using elements comprised of video game design in learning environments. The goal of gamification is to engage learners through familiar fun activities and in some cases create a competitive and or social environment. By gaining points, elevating their status level, getting to the top of a leaderboard or one of many other gaming techniques, users are inspired to continue learning. Gamification of learning can be implemented in a number of ways and to a number of degrees. It can be as simple as awarding points as people participate in ongoing microlearning activities, or more complex live in-person “capture-the-flag” competitions. From a cybersecurity awareness perspective, gamification of learning could be implemented in conjunction with MIS teams sending out simulated phishing attacks and awarding points to employees who avoid the attacks and can identify various characteristics. The Fortinet XPerts Academy event in Latin America is a good example of gamification being used in a much more extensive manner to create excitement and engagement before a training event even starts. Take a look at the challenge video sent to registered participants.
Digital Badging: Digital badges are defined as “a validated symbol or indicator of an accomplishment, skill, quality or interest”. While not a training technique itself, digital badging can be a great tool to motivate behavior and engage learners by recognizing achievement. Digital badging can also be used as a mechanism to communicate a person’s status or membership within a community. In fact, digital badging is quickly becoming an alternative to traditional technical certification designations that often require significant time and financial investment by individuals. In 2011 the whitepaper “An Open Badge System Framework” by Peer 2 Peer University and The Mozilla Foundation became the catalyst for what has become an effective network of open digital badging systems that allow individuals to share their badges broadly across the internet with peers, credentialing bodies, potential employers and others. This can be a great enabler for CISOs and HR departments wanting to assess skills and knowledge of potential new hires into an organization. It can also be a great tool for internal compliance teams to easily measure and report on critical cybersecurity awareness of the general employee population.
Awareness Campaigns: While not as technological as gamification or digital badging, an often overlooked method of training is leveraging existing awareness campaigns. These campaigns can be focused specifically on a training initiative such as cybersecurity awareness, or could be larger campaigns that are well aligned with your learning objectives – such as Cybersecurity Awareness Month. They can be internal campaigns or external campaigns that typically provide a significant number of resources and support. The Association for Talent Development for example promotes an Employee Learning Week each year, citing a growing skills gap and the need to remain competitive in today’s global economy. An industry awareness campaign like this can be a great vehicle to launch or expand a cybersecurity awareness campaign.
No matter which training formats you choose, you will need solid cybersecurity information to convey. Below are some best practices that should be included in every training initiative aimed at creating a Cyber-Aware Workforce.
1. Overhaul your passwords
For now, passwords remain a necessary evil. Because we have so many online accounts, it’s too hard to remember that many different passwords. So, we tend to use the same password for all of them.
Instead, try one of these options. Use a password vault that stores the username and password for each account, so all you have to remember is the single password for that application, and it takes care of the rest. Or create a tier of applications and then create more complex passwords to remember for each group. One set for sites like social media, another for places you pay your bills and another for your bank.
Two-factor authentication is an additional option, requiring you to enter a password and then validate that login using some other form of authentication, such as entering a code sent to your mobile device. This significantly increases the security of your accounts and data.
2. Become email and web scam-savvy
Never open an email or click on an attachment from someone you don’t know – especially when it includes an enticing subject line, such as a cash reward or a bill for something you didn’t purchase. In addition, know that compromised accounts are regularly used to send malware to individuals in their contact list because recipients are far more likely to open those emails and attachments. If an email message from someone you know seems strange or out of character, check with them first before you open it.
Don’t click on links in advertisements sent to your email or posted on websites unless you check them first. Does the website look professional? Are there lots of popups? Is there bad grammar or misspelled words? If you hover your mouse over a link, you should be able to see the real URL. Does it replace letters with numbers, or is it unusually long? If so, don’t click on it.
3. Check your Wi-Fi
Public Wi-Fi access points are not always safe. Hackers can connect to a public access point and then broadcast themselves as that access point, which means they can intercept all data between you and your online shopping site, bank, home security system and so on.
It’s often hard to tell a good access point from a bad one. Ask an establishment for the name of its Wi-Fi SSID before you connect. And consider installing VPN software on your device so you can make a secure, encrypted connection to a known service.
4. Defend against viruses and malware
Find industry- and consumer-recognized anti-malware software, keep it updated and run it regularly. For more advanced users with a laptop or desktop, also consider maintaining a clean virtual machine on your device that you can switch to for your more security-sensitive browsing or to perform online transactions where security is paramount.
5. Update your devices
Hackers are highly adept at targeting vulnerabilities that are already well known but which are not being protected against. The developers of your devices, as well as the apps you run on them, all issue regular security updates to protect you from known threats. Download and run these updates as soon as they become available.
Cybersecurity remains a primary concern for all organizations, and cybersecurity awareness training needs to be part of any successful strategy to keep networks and data safe. The BYOD, work-anywhere culture increases risk, but it also provides greater opportunity to train employees on good cybersecurity practices using a variety of non-traditional training techniques. By evolving your organization’s training strategy to include a variety of non-traditional techniques for your cybersecurity needs, you have the potential to do more than build a Cyber-Aware Workforce, you have the potential to change the overall learning culture of your organization and become a true Learning Organization.