Ensuring that all employees have the right skills and awareness to help protect the company network is as important as ever. With cyber attackers evolving their thinking in order to catch companies out, internal cyber security training needs to be at the forefront of the cyber security strategy. With this in mind, here are some tips on how to boost the cyber security training in your organisation to ensure all staff are ready to defend the network.
Constant strategy communication
For organisations in every industry, it is vital to hold regular training sessions on the dangers or cyber crime. Along with this, the workforce should be regularly updated on strategy by security leaders, including any new risks that are important to know.
“Adequate cyber security training and awareness should include outsourcing white hat hacking and phishing campaigns to imitate real-world attacks, as a team will therefore begin to understand the dangers and consequences that come with insufficient knowledge and poor defence systems,” said Rick Jones, CEO of DigitalXRAID.
“When employees recognise an attack and report it, CEOs must remember to support and reward their team in order to further incentivise vigilant behaviour.
“Alongside training sessions, information about a company’s cyber security strategy should be regularly communicated with the team. Business directors should strive to integrate cyber updates into their weekly team meetings, while internal NetOps and SecOps teams have an important role to play in ensuring that the C-suite remains constantly informed of any new scams or vulnerabilities that may pose a threat to business security.
“Ultimately, education, information and training lie at the centre of any successful cyber security strategy.”
Harjott Atrii, executive vice-president and global head of the digital foundation services at Zensar Technologies, added: “Creating awareness is critical as each employee is responsible for practicing cyber security protocols.
“Having periodic communication on the evolving nature of threats, sharing best practices on how each one can follow simple protection tips goes a long way in mitigating attacks.
“Also, creating an internal task force to update protocols and monitor all incidents proactively helps too.”
12 steps towards a secure project management framework
Make it personal and relatable
A big part of maintaining engagement among staff when it comes to cyber security is explaining how the consequences of insufficient protection could affect employees in particular.
“Unless individuals feel personally invested, they tend not to concern themselves with the impact of a breach,” said James Spiteri, principal security specialist at Elastic.
“Provide training that moves beyond theory and shows the risks and implications through actual practice to help engage the individual. For example, simulating an attack to show how an insecure password or bad security hygiene on personal accounts can lead to unwanted access of people’s personal information such as photos or payment details could be very effective in changing behaviours.
“Teams need to find relatable tools to help break down the complexities of cyber security. Showcasing cyber security problems through relatable items like phones, and everyday situations such as connecting to public Wi-fi, can help spread awareness of employees’ digital footprint and how easy it is to spread information without being aware of it.”
Andrew Daniels, CIO and CISO at Druva, explained how having tests in place and encouraging reports of attacks when seen by staff can also help to maintain alertness across the workforce.
Daniels said: “While some may disagree, testing your employee base with simulated attacks can help them be on the lookout for risks. This will give you a better picture of who needs more training and will be valuable for those that need to learn through more tangible examples.
“But simulation alone won’t work. You have to encourage and recognise when they report the phish, even when it is your own test.
“This could be a simple response back to the employee thanking them for the report and letting them know what they spotted, for example a test or a legitimate attack. This will encourage them to continue to report.”
The importance of tech, training and education in data classification
Build up a test and sandbox environment
Establishing a specific environment for tests and sandboxing is another aspect to consider. Having such infrastructure in place allows teams to build up their security skill sets in a controlled digital space.
Julien Escribe, partner at ISG, explained how the emergence of security labs have managed to boost the effectiveness of training initiatives: “The need for privacy, compliance to GDPR and rise in hacking activities have pushed organisations to focus more on cyber security training.
“The new cyber security labs that are being rolled out (internal and/or sourced as a managed service) help with training, experimentation and sandboxing. New forms of training include internal workshops, mailing lists, hackathons, and socialising cyber risks via short videos followed by quizzes.
“Some companies also use techniques such as organised phishing (in a controlled and secure way) to measure the efficiency of the trainings.”
Cyber security initiatives such as Capture the Flag and hackathons have been known to help develop security skills in an interactive way, and can be done in lab environments.
Rainer Saks, member of the management board at Cybexer, said: “There is specific training that you should provide for your infosec teams. They need to be given an opportunity to work together in a realistic, capable and credible virtual environment that enables them to respond to scenarios in real-time.
“This training can be achieved with sophisticated cyber ranges that can mimic your IT-systems. It is particularly useful to run task-driven Capture-The-Flag (CTFs), live-fire exercises, or a combination of both (threat hunting). It is also very important that your team learns to work together and master your systems, even under high levels of stress.
“Building up a cyber range can be expensive, but without a proper cyber security strategy in place, the costs of failing to prepare can be much higher. It would make sense for the likes of Fortune 1000 companies to acquire and run their own cyber ranges, but smaller enterprises can still afford to purchase CTFs, live-fire and threat hunting exercises from competent and capable cyber security companies.”
How to empower your chief information security officer (CISO)
Consider industry and ethics
Finally, while sufficient, in-depth cyber security training is paramount in every industry today, this doesn’t mean that such initiatives shouldn’t take the particular sector into account. Every industry will have its own particular assets, whether it’s financial data in banking or patient data in healthcare, meaning that training needs to be tailored accordingly.
This, along with considering the ethics of security tools, will go a long way in successful protection of the network, according to Ramsés Gallego, international chief technology officer, cyber security at Micro Focus.
“Across the cyber security industry, numerous options for training and professional certifications exist,” said Gallego.
“However, certifications are just the beginning, and initiatives to boost cyber security training and standards internally need to be driven in a programmatic way to be successful. All training should be considered as part of an overarching cyber security strategy and consistently updated as threats evolve.
“It should also be specific to the industry of the business and be an accurate representation of what security professionals will encounter in the real world. Ultimately, training needs to provide individuals with the expertise, knowledge and willingness to protect and defend, while understanding the ethics around the development of cyber security solutions.”