Cybersecurity is a relay race, here is how you can train for it

CC0 1.0 Universal (CC0 1.0)

By Carlota Sage, guest columnist

In my series so far, we’ve discussed choosing your productivity platform, turning on multi factor authentication (MFA), and how to communicate to users that you are turning off IMAP and POP. This week, I’ll address security awareness training.

I like to tell employees and internal users that cybersecurity is a relay race: Leadership runs the first leg, ensuring that commitment, funding, and good policies are in place; IT takes the baton to set up and monitor systems; and finally, the employee carries the baton to the finish line by using systems smartly. Just like running, though, to get good and fast, security awareness should be practiced constantly.

Note: this article will only address general security awareness training (SAT) and NOT security awareness training or certifications for developers, IT personnel, or security practitioners.

We need constant security awareness training? We don’t have time for that!

Would you rather make time for a ransomware event?

Right now, you may be giving a 15-45 minute “security awareness training” when on-boarding your employees, but with everything else going on as they start their new role, I’m willing to wager a bit of money that their “security awareness training” went in one ear and immediately out the other.

Security awareness training doesn’t need to be time-consuming, or expensive.

Security awareness training services like Wizer, Ninjio, Curricula, and Mimecast specialize in making 5-10 minute training sessions that can go out on a regular basis (I prefer a monthly cadence). I especially like Ninjio’s service – they create fresh content monthly in a cartoon or anime style that not only takes a lot of burden off your team, but users actually find the cartoon-y approach more engaging, meaning that training is significantly more successful than the PowerPoint HR was putting together before. Services like Wizer and Mimecast (who purchased Habitu8 to incorporate into their services) use Hollywood-professional production to make their recordings resonate with users, while Curricula uses a mix of scrolling storytelling and short cartoon videos to impart their training. Best of all, most of these services are available to very small organizations for around $2/user/month – or in the case of Wizer, for the very low cost of free. They all include administrative functions that will provide evidence if you’re going for a SOC2 or other compliance framework.

Note: I am not a fan of KnowB4’s platform. I find the videos to be outdated and cringe-worthy, and the administration to be burdensome. I personally refuse to endorse or recommend this platform.

As with all things, there’s a cultural/psychological aspect to SAT.

Organizations are made of people, and people are tribal. From a cultural perspective:

  1. Leadership should lead in SAT. Leadership should be vocal in their support of SAT, be the first to complete the training, and be open to discussing points of that training (even potentially negative ones) in their leadership and All Hands meetings.
  2. Positive reinforcement works better than shame. One of the best initiatives I’ve seen was at a non-profit client of about 80 employees. Their IT team started publicly thanking non-IT folks in Slack whenever they brought a legitimate phishing email to IT’s attention. The thank-you notes included a snapshot of the phishing email, educating the whole team on the current hot phishing topic of the week.
  3. Tie SAT to employee goals. By making SAT a managed business objective (MBO), key performance indicator (KPI), or other goal, leadership is setting the expectation that the employee will prioritize security awareness. I’ve even seen companies withhold or reduce bonuses by a small percentage if SAT hadn’t been completed in a timely manner.

Overall, cybersecurity isn’t a technical problem or a people problem, it’s an organizational problem – and you should treat it as such.