'If we leave too much gap between training activities, you then forget'
“We put a lot of focus and effort in technology but less on the people that use this technology.”
So says Theo Zafirakos, CISO of professional services at Terranova Security in Laval, Que.
While criminals continue to target corporate firewalls in an effort to gain valuable data, educating employees on the risks is often “the most neglected” part of the security equation, he says.
“This is why cybersecurity awareness training becomes very important is we give our staff and our employees access to technology assets and information but we don’t necessarily train them and inform them of the risks and the threats that are associated with those technology assets.”
While training around tools is often mandatory and highly important for some industries, it is often overlooked for office-type jobs, says Zafirakos.
“If you have an employee operating in the field using a dangerous tool, you will train them how to use the tool right before he goes on the job. We have to do the same thing with the technology tools that we give to our employees,” he says.
First steps
Before a training system is implemented, it’s good to begin by assembling a “cross-functional program team” who will be tasked with defining the purpose of such an effort, according to Zafirakos.
It should involve members of IT, communications and marketing, as well as HR, who are often involved in training, and they should be asking various questions before finalizing a training regime, he says.
“Who is going to decide what the program is going to look like? What are the different roles and responsibilities? What are the approvals? What does our organization have [in terms of] the capacity and appetite for in terms of programs.”
Once that program is prepared, messaging is an important part of ensuring its success.
“We can’t make it too complicated, too challenging or too burdensome for the users to follow. It has to be engaging; it has to be interesting; it has to be short and to the point and easy to understand for the employees,” says Zafirakos.
Ongoing training
Ideally, this effort should be ongoing and include at least “one touchpoint per month,” he says.
“It may be in the form of a phishing simulation with feedback; it may be a longer course; it may be lunch-and-learn activity but at least once a month, have this touchpoint with your users to remind them of specifics.”
That repetition is key to changing bad habits, says Zafirakos because the bad actors do not take time off.
“We have to repeat messages over time because we want to keep cybersecurity top of mind throughout the year, not just once a year with cybersecurity awareness month.”
“If we leave too much gap between training activities, you then forget,” he says.
The ultimate goal is to create a “security-aware culture, from the very top of your organization to every single employee, to make sure that everybody understands that they have a role to play, and there is something that they can do,” says Zafirakos.
“Focus also on culture. It’s very important to have a good cybersecurity culture, not just have expectations of the employees but also starting from the top and communicate that expectation from executives, managers, and then employees and colleagues and peers.”
Who’s responsible?
While IT departments typically provide the expertise around a good security training program, it’s HR that really propels things along, says Zafirakos.
“We always recommend those two departments work together and clarify who does what, especially from an HR perspective with communications, onboarding new employees, adding cybersecurity training to the curriculum of new staff and working with management to establish: ‘Is our program mandatory or not? And if it is mandatory, well, who is going to follow up? And who’s going to handle escalations? And what are the consequences or non-participation?’”