In the second part of our cyber security series, we take a look at why employers should stop defaulting to the ‘blame game’ and better support their employees with cyber security training and how to deliver it. Fiona Alston spoke with Dr Valerie Lyons, COO at BH Consulting to get informed tips for cyber security training.
Does your company issue phishing emails as part of its cyber security training for employees? How does it react when an employee clicks on the link? Does it send yet another training video for the employee to watch, or does it take responsibility for the curious click and ask ‘how can we support you so this doesn’t happen again?’
Or are the businesses you are interacting with online still making cyber security your problem? Giving you the responsibility to defend your password to keep their systems secure?
This is where companies are failing their staff and users according to Dr Valerie Lyons. Lyons has over two decades of experience in Information Security, and what sees now is businesses making cybersecurity solely “the user’s problem” rather than building protections into their systems by design.
Build robust systems
“We have to start looking at pushback onto organisations who don’t force good practice,” she says. Companies that are using simple password log in details for their users to access their systems, whether it is banking, CRM or your online shopping account, are still making cyber security the responsibility of the user. Remember your password, don’t lose it. Why are they not building robust systems into their systems to keep their customers secure?
The same logic applies to phishing and email?borne attacks. Lyons thinks it’s unreasonable to blame staff for every click when the organisation has leaky defences in its own systems.
“You are responsible as a consumer, as an employee, you’re being made responsible for an organisation allowing a phishing email in. And if you think about that, that’s crazy,” she says.
“Put all phishing emails into quarantine, let the employee take a look and see if they want that email – then it makes sense to say, you let an email into your mailbox, and then you clicked on it,” she suggests. Employers should first do everything they can to keep malicious messages out of inboxes, and only then ask employees to make judgement calls from a safer starting point.
Better training programmes
Lyons thinks phishing tests and training need a complete rethink, with too many employers treating them like a “gotcha” rather than a learning opportunity.
“Usually we do the training to slap people’s hands. We don’t come back to them afterwards and ask how can we support you, to improve on this,” she says. She advises a three?part approach which involves meaningful pre?training, a phishing campaign, and proper follow?up. How you handle the failures is key to spotting the inadequacies in your training programme and business systems.
“It’s a shared responsibility, but the organisation is currently taking little responsibility other than running the phishing test,” she adds.
Tips to improve cyber security training in your organisation
If you want to move away from blaming employees and build a better training system to support your staff to build their cyber resilience skills, Lyons gave us some tips to share.
Make it engaging, not tick?box. Use short, engaging videos, real stories and simple visuals instead of long, dull slide decks. Aim for “memorable and human” rather than “legalistic and technical”.
Do training before you test. Don’t jump straight to phishing tests, offer clear, practical training first so people know what to look for and why it matters.
Use phishing tests as learning, not punishment. When someone clicks a bad link in a test, follow up with a human conversation or a short refresher, not just a “you failed” screen. Ask them what made it look convincing, and what you could change to help them spot it next time.
Tighten email filtering and use quarantine. Configure tools so obvious phishing attempts go to quarantine, not directly into inboxes. Teach staff to review their quarantine folder and release only what they recognise and trust.
Share responsibility, don’t shift blame. Security is a shared responsibility, make sure everyone is aware of that. The organisation invests in good tools and processes, and employees stay vigilant and follow the guidance they have been given. Avoid messaging that suggests breaches are purely the fault of careless users.
Use relatable examples from your own environment. Has a recent attempt by a bad actor been foiled? Talk about it, blog about it. Let employees know that real attempts have been made and explain what made them suspicious.
And lastly, reinforce little and often. Instead of holding one big annual training, make sure you are integrating short, regular sessions. For example showing a short 5?minute video, a quick quiz, or a cyber security ‘tip of the month’.
This article was part of a two part series. You can find part one, one password security with Fabio Cerullo owner of Cycubix, here.
Also Read
