Train employees to be your ‘human firewall’   

Alastair Murray explores the importance of continuous cyber-security training for employees

Organisations have an increasing desire for effective cyber security awareness training for their employees. They are well aware that most phishing attempts, hacks, malware downloads or ransomware attacks can be attributed to mistakes made by management and employees. Recognising the need for a solution, these organisations understand that structured and competent cyber security awareness training programmes can address this situation effectively.

However, many cyber training initiatives are off-site, infrequent, complicated, difficult to run and generally ineffective. Businesses want something different; online, in the office, at a desk style training. Training that is continuous throughout the year that builds knowledge and awareness.

Various providers offer highly specialised cyber security awareness services, delivering training through automated security awareness platforms (ASAP). These platforms offer online training modules focused on specific areas such as email anti-phishing, website security, password protection, mobile phone security and more. The training is designed to continuously build and reinforce knowledge in a cyclical manner, ensuring employees stay updated and informed on crucial cyber security practices.

New style training
These new style cyber security training programmes use short sessions of interesting and varied tasks for employees to learn at their own pace and according to their risk profile. Staff working in reception are likely to be low risk, but staff working in accounts will require a strict regime of cyber security. Applying training that is relevant, varied and interesting helps keep management and employees engaged and keen to learn.

A key element of cyber awareness training lessons is that they are short, from five to 15 minutes with each one developing a specific cyber security skill. When studying modules for e-mail, employees are taught specific skills to teach them how not to click on links and downloads. An employee may sail through their email modules and quickly move on to the next more difficult task, or alternatively may need to run through the tasks again, having not past the first time. Each can be repeated until the employee feels confident enough to move onto the next more advanced training module.

Using the Herman Ebbinghaus theory; the more often you are subjected to the same learning the more likely you are to remember the tasks set, helps galvanise employees into adopting a greater sense of cyber security awareness and how to apply this to their daily routines.

How does it work?

One of the key features of an ASAP programme is that it is easy to launch, configure, and monitor. A compliance officer, HR department or practice manager can set-up the tutorials with little or no IT knowledge. The platform can be set up to select specific users, and or all management and employees to receive training according to their risk and skill levels.

There is no need for a manager to create an individual timetable for each employee as the ASAP will adopt the particular cyber security awareness model that comes with the package. There are many types of programmes, and it will depend on which provider you choose.  It is then down to management to choose who does what and when and assign them categories and start their training.

Creating a training plan
Everyone is allowed to study at their own pace, level of risk, learning speeds, and holidays. If Jack from sales wants to spend just ten mins a week fulfilling his training, this is allowed in the same way that if Mary from accounts wants to spend an hour a week doing her lessons, this too is acceptable.

Organisations can utilise training modules that cover a range of essential cyber security topics. These modules include areas such as website security, email security with anti-phishing measures, password and account protection, social network and instant messenger security, PC and mobile security. Additionally, they may cover safeguarding confidential data, understanding social engineering tactics, handling personal information in accordance with GDPR, and maintaining

Each topic can be divided into several levels of complexity, from beginner to advanced. For a beginner, typical skills might include how to recognise fake pop-ups, executable files, browser extensions, and to pay the right attention to redirects. A more advanced skill set might include only entering data on sites with an SSL Certificate, using unique passwords for each login credential, recognising fake sites with mis-spelled names, and fake sub-domains.   

These email threats come in a variety of guises, from spam attacks, data extraction, phishing, business email compromise (BEC), account credentials theft, spear phishing and brand impersonation. All with the potential to seriously damage a firm’s reputation and credibility. From one’s desk, five-to-15-minute cyber training modules are already helping many firms successfully train employees to be their ‘human firewall.’

Firms can choose which level of cyber awareness training they want to adopt, from simple and basic training to intensive training that stretches management and employees. The training modules shown above are good examples of the type of training that can be undertaken. Employees can choose how much time to spend on their cyber security awareness training, with management setting the parameters for how much time is spent on individual tasks, which might range from twenty minutes to couple of hours a week.

Management should help run these platforms, make suggestions for improving test results, the frequency of training reports, and deciding when employees should train to get the most from the tasks. Employees can use any device including mobile phones, and at times that suit them, under the supervision of a manager.

Each topic can be divided into modules ranging from simple to highly complex tasks. For instance, a receptionist, who typically lacks access to sensitive information, may not be an obvious target for cyber-attacks. On the other hand, sales staff working remotely may pose some risk and could be subject to stricter security conditions when outside of the office. Meanwhile, the accounts department, responsible for managing the firm's finances, would likely face greater scrutiny due to the nature of their role.

An ASAP should be designed to encourage the absorption and retention of knowledge. The key to this is the regular reinforcement of this knowledge through past topics being referred to in different scenarios. So where past lessons on passwords or phishing were examined, these would help reinforce that knowledge.

Reporting and benchmarking
A manager should routinely check the results of each employee to monitor their performance and to send motivating or warning messages to the underachievers. At the same time those ahead of schedule can be congratulated and or rewarded. The end objective is to encourage every employee to build their cyber security awareness knowledge to keep the firm safer and more resilient to phishing, malware and ransomware attacks.

While insurers were selling cyber insurance before 2015, continuous cyber security awareness training probably started around 2015 when insurers began selling cyber insurance in earnest. Since then, the market for online cyber training has flourished,being adopted by firms throughout the country, increasing their cyber awareness and reputations in front of their clients. There are now over 100,000 firms with the Cyber Essentials and Plus marques, including several law firms each keen to boost their cyber security credentials in front of their suppliers and clients.