There have been many key lessons that have been learned, in terms of Cybersecurity, from the COVID19.  I think I have mentioned them quite a bit in previous blogs, but just to recap, probably two of the of the biggest are the needs to have a rock solid Business Continuity (BC) Plan, as well as using a good Cloud based Platform such as either the Amazon Web Services (AWS) or Microsoft Azure in order to migrate your entire IT Infrastructure into.

But yet another key lesson that has been learned is that employees, whether they are WFH or back in the office, need security training.  It is not just a one-time deal, it is something that needs to be done on a repeated basis, so whatever messages that you are trying to convey will finally hit home. 

This is now more paramount than ever, as the Cyberattacker realizes that there are more backdoors from which they can penetrate into in order to reach to your digital based assets.

Proper security training for your employees takes both technical and psychological savvy, because the important thing to remember is that it you have to keep your employees not only engaged during the training session, but you have to keep them motivated as well afterwards so that they will maintain the good levels of Cyber Hygiene.

But still, many security programs still go unlistened to, or if at all, employees do not seem to remember much after wards.  So, what are some of the key barriers that is hindering this learning process?  Here are 4 key ones that many psychological researchers have uncovered:

*The person that is conducting the actual training itself does not feel confident:

More likely than not, it is somebody outside the realm of the IT Security Team that is often conducing these sessions.  It often falls on the laps of the Human Resources (HR) Department, and because of that, they often feel uncomfortable when delivering a topic that has to deal with technical details.  Because of that, that individual appears to nervous in front of the audience.  When delivering a security related message, the speaker has to be confident in both what they say and do, so that your employees will take them seriously.  If not, they will probably then think, what is the point of it all?  Well, keep in mind, if you are an HR rep and have to deliver this training, you just have to only teach about the very basics of the following, such as: 

*How to recognize a Phishing based Email;

*How to talk about proper Password Management;

*How to report any suspicious behavior.

That is it.  You just have to keep it to these very basics, as this is where employees seem to make the greatest number of mistakes at.  But in case you do get barraged with a slew of technical questions, it is always a good idea to have somebody from your IT Security team on hand to answer them.

*Cybersecurity is the first line item to get axed:

Let us face it, whenever a company is facing a cash crunch or there is a slow down in overall economic growth, it is the IT and other relevant budgets that fall under it that often get slashed first.  Because of this, many in the C-Suite are leery about offering security training, because they think it will cost too much money.  But this is simply not true.  You can easily create your own in house with collaboration from your IT Security team, or if not, you can always hire a vCISO to deliver the training at a very affordable and fixed price.  But if this still falls onto deaf ears (of which it highly likely could), then you need to speak the language of the C-Suite:  That is break everything down in terms of dollars and cents.  Here is an example:

*The average cost would be $4,000,000 if we are hit with a Cyberattack;

*Effective security training would lead to an increase of about 24% of profits for the company;

*In Corporate America, Cyberattacks have costed businesses at least $45 billion alone.  Do you want us to be a part of that statistic have our brand image tarnished in front of our customers?

You get my point.

*There is not just enough time in the day:

Truth be told, there is enough time in the day.  It is just that you do not want to make the time, because it simply a low priority.  But given the times that we are in right now, it is absolutely imperative that you do make the time for this.  Remember, the average attention span of a human being is no more than 45 minutes at most.  Anything more than that, your employees will become disengaged.  Surely, you can spend 45 minutes having an effective training session.  Keep in mind that you do not have to jam in all of the information in one session.  You can have multiple ones, say over the time span of one month.  If all of this still falls into the abyss of ignorance from the C-Suite, then once again, bring it down to a language that they will respond to, with something like this:

If we are impacted with a Cyberattack, it could possibly take our business at least 10 days to recover from it.  That in itself will result in 80 hours of lost work productivity for each and every employee that is involved in finding out and mitigating what happened.  Just imagine what the impact of this downtime will to our company’s bottom line???

That should do the trick.

*Your company has a reactive security mindset:

This is not just a problem with Corporate America, but with United States in general, to be blunt about it.  We simply do not react to anything until we have been impacted.  Changing your company’s cultural mindset to one that is very proactive in nature can be an exceedingly difficult task to accomplish and will take an exceptionally long time to do.  But that is not your job.  Your job is to get the buy in from the C-Suite to advocate a good, overall Cybersecurity posture for the company.  Remember, it all comes from the top-down.  If the C-Suite is motivated to have strong levels of Cyber Hygiene, then the rest of the employees will be also.  One way to this is to relate to your C-Suite on a personal level.  In this regard, try to bring in people that have really been impacted by a security breach, and have them talk about how it has profoundly changed their lives around.  Once you have done this, then mention the fact that recovering from a Cyberattack is not just a onetime deal.  Rather, it will have lingering side effects, especially when it comes to rebuilding your brand and trying to get back lost customers.  Put it to your C-Suite this way: 

It can take months to get a new customer, but just 2 seconds to lose one.  Just think of all that extra time it will take to get new customers in case we are impacted?

That should raise some alarm bells.

My Thoughts On This

As mentioned, once you have delivered a security awareness program, it should not be viewed simply as a one off.  Rather, this needs to be done on a regular basis.  Think of it this way:  Wash, Rinse, and Repeat.  But one especially important, key thing to remember is that in this training, you have to keep your employees interested and motivated for the long term. 

With this in mind, keep your security awareness training programs engaging at all times during the training. 

Do not just simply go over a bunch of concepts and tell what your employees what the consequences will be if they do not follow the rules.  This is the worst kind of mindset that you want to instill, as the chances will be that they will simply ignore everything that they have been taught and purposely make mistakes, such as intentionally clicking on a Phishing based Email. 

Worst yet, this could even precipitate the intent to launch an Insider Attack.

Instead, make the security training program fun by introducing the concepts of gamification, and even introduce a spirit of competition into it as well.  For example, after the training has been completed, hold a contest, and even offer some financial rewards, such as s gift card to Starbuck’s or Panera Bread for those employees that have exhibited high levels of Cyber Hygiene.

But remember, you also have to get an ROI for all of the security awareness training programs that you are conducting.  The specific metrics to be established will dependent upon the environment of your company; but one of the best ways to do this is to launch simulated Phishing Attacks and see which of your employees will fall prey to it. 

Remember, employees have often been thought of as the weakest link in the security chain.  But they do not have to be.  You can make your employees your partners in Cybersecurity and make them your eyes and ears to report anything to you that is out of the ordinary.