Sign Up for our Free Newsletter
menu
Solicitors Journal Homepage
  • Home
  • News
  • Digital Edition
  • Practice Notes
    • Area of Law
      • Agricultural
      • ADR & Mediation
      • Asylum & Immigration
      • Aviation
      • Bankruptcy and Insolvency
      • Charities
      • Children
      • Clinical negligence
      • Commercial
      • Competition
      • Construction
      • Conveyancing
      • Costs
      • Crime
      • Data Protection
      • Discrimination
      • Education
      • Employment
      • Energy
      • EU
      • Expert witness
      • Family
      • Financial services & Tax
      • Health & Safety
      • Human rights
      • Inquest
      • Insurance
      • Intellectual property
      • Legal Aid
      • Litigation
      • Maritime
      • Media
      • Mergers & Acquisition
      • Pensions
      • Personal injury
      • Police & Prisons
      • Private client
      • Procedures
      • Professional negligence
      • Property
      • Public Law
      • Regulation
      • Residential
      • Road traffic
      • Vulnerable Clients
    • Management
      • Business Development and Marketing
      • Career development
      • Covid-19
      • Education & Training
      • Equality & diversity
      • Ethics and Compliance
      • Finance
      • Human Resources
      • Knowledge management
      • Leadership
      • Legal services
      • Marketing
      • Pro bono
      • Professional indemnity
      • Regulators
      • Risk & Compliance
      • Technical legal practice
      • Technology
      • Wellbeing
  • Opinion
  • Business
  • International
  • Interview
  • More
    • About
    • Contact Us
    • Subscribe
    • Newsletter
    • FAQ
    • Guide to Authors
    • Media Pack
    • Site Map
  • Contact Us
  • Terms and Conditions
  • Cookie Policy
  • Privacy Policy
  • Follow us:
    Twitter
    LinkedIn
© 2023 Solicitors Journal in partnership with the International In-house Counsel Journal | Picture Credits: Freepix, Unsplash and by permission of the authors
Alastair Murray

Alastair Murray

DirectorThe Bureau
Quotation Marks

"Using the Herman Ebbinghaus theory; the more often you are subjected to the same learning the more likely you are to remember the tasks set"

Train employees to be your ‘human firewall’   

Thu May 18 2023Business
Train employees to be your ‘human firewall’   

Alastair Murray explores the importance of continuous cyber-security training for employees

Organisations have an increasing desire for effective cyber security awareness training for their employees. They are well aware that most phishing attempts, hacks, malware downloads or ransomware attacks can be attributed to mistakes made by management and employees. Recognising the need for a solution, these organisations understand that structured and competent cyber security awareness training programmes can address this situation effectively.

However, many cyber training initiatives are off-site, infrequent, complicated, difficult to run and generally ineffective. Businesses want something different; online, in the office, at a desk style training. Training that is continuous throughout the year that builds knowledge and awareness.

Various providers offer highly specialised cyber security awareness services, delivering training through automated security awareness platforms (ASAP). These platforms offer online training modules focused on specific areas such as email anti-phishing, website security, password protection, mobile phone security and more. The training is designed to continuously build and reinforce knowledge in a cyclical manner, ensuring employees stay updated and informed on crucial cyber security practices.

New style training
These new style cyber security training programmes use short sessions of interesting and varied tasks for employees to learn at their own pace and according to their risk profile. Staff working in reception are likely to be low risk, but staff working in accounts will require a strict regime of cyber security. Applying training that is relevant, varied and interesting helps keep management and employees engaged and keen to learn.

A key element of cyber awareness training lessons is that they are short, from five to 15 minutes with each one developing a specific cyber security skill. When studying modules for e-mail, employees are taught specific skills to teach them how not to click on links and downloads. An employee may sail through their email modules and quickly move on to the next more difficult task, or alternatively may need to run through the tasks again, having not past the first time. Each can be repeated until the employee feels confident enough to move onto the next more advanced training module.

Using the Herman Ebbinghaus theory; the more often you are subjected to the same learning the more likely you are to remember the tasks set, helps galvanise employees into adopting a greater sense of cyber security awareness and how to apply this to their daily routines.

How does it work?


One of the key features of an ASAP programme is that it is easy to launch, configure, and monitor. A compliance officer, HR department or practice manager can set-up the tutorials with little or no IT knowledge. The platform can be set up to select specific users, and or all management and employees to receive training according to their risk and skill levels.

There is no need for a manager to create an individual timetable for each employee as the ASAP will adopt the particular cyber security awareness model that comes with the package. There are many types of programmes, and it will depend on which provider you choose.  It is then down to management to choose who does what and when and assign them categories and start their training.

Creating a training plan
Everyone is allowed to study at their own pace, level of risk, learning speeds, and holidays. If Jack from sales wants to spend just ten mins a week fulfilling his training, this is allowed in the same way that if Mary from accounts wants to spend an hour a week doing her lessons, this too is acceptable.

Organisations can utilise training modules that cover a range of essential cyber security topics. These modules include areas such as website security, email security with anti-phishing measures, password and account protection, social network and instant messenger security, PC and mobile security. Additionally, they may cover safeguarding confidential data, understanding social engineering tactics, handling personal information in accordance with GDPR, and maintaining

Each topic can be divided into several levels of complexity, from beginner to advanced. For a beginner, typical skills might include how to recognise fake pop-ups, executable files, browser extensions, and to pay the right attention to redirects. A more advanced skill set might include only entering data on sites with an SSL Certificate, using unique passwords for each login credential, recognising fake sites with mis-spelled names, and fake sub-domains.   

These email threats come in a variety of guises, from spam attacks, data extraction, phishing, business email compromise (BEC), account credentials theft, spear phishing and brand impersonation. All with the potential to seriously damage a firm’s reputation and credibility. From one’s desk, five-to-15-minute cyber training modules are already helping many firms successfully train employees to be their ‘human firewall.’

Firms can choose which level of cyber awareness training they want to adopt, from simple and basic training to intensive training that stretches management and employees. The training modules shown above are good examples of the type of training that can be undertaken. Employees can choose how much time to spend on their cyber security awareness training, with management setting the parameters for how much time is spent on individual tasks, which might range from twenty minutes to couple of hours a week.

Management should help run these platforms, make suggestions for improving test results, the frequency of training reports, and deciding when employees should train to get the most from the tasks. Employees can use any device including mobile phones, and at times that suit them, under the supervision of a manager.

Each topic can be divided into modules ranging from simple to highly complex tasks. For instance, a receptionist, who typically lacks access to sensitive information, may not be an obvious target for cyber-attacks. On the other hand, sales staff working remotely may pose some risk and could be subject to stricter security conditions when outside of the office. Meanwhile, the accounts department, responsible for managing the firm's finances, would likely face greater scrutiny due to the nature of their role.

An ASAP should be designed to encourage the absorption and retention of knowledge. The key to this is the regular reinforcement of this knowledge through past topics being referred to in different scenarios. So where past lessons on passwords or phishing were examined, these would help reinforce that knowledge.

Reporting and benchmarking
A manager should routinely check the results of each employee to monitor their performance and to send motivating or warning messages to the underachievers. At the same time those ahead of schedule can be congratulated and or rewarded. The end objective is to encourage every employee to build their cyber security awareness knowledge to keep the firm safer and more resilient to phishing, malware and ransomware attacks.

While insurers were selling cyber insurance before 2015, continuous cyber security awareness training probably started around 2015 when insurers began selling cyber insurance in earnest. Since then, the market for online cyber training has flourished,being adopted by firms throughout the country, increasing their cyber awareness and reputations in front of their clients. There are now over 100,000 firms with the Cyber Essentials and Plus marques, including several law firms each keen to boost their cyber security credentials in front of their suppliers and clients. 

 

Tags:
AdvertisementAdvertisementAdvertisementAdvertisementAdvertisementAdvertisementAdvertisementAdvertisement
Latest News

Parents and carers to be given new employment protections

Fri May 26 2023

Committee finds plans to level up the country risk failure due to funding concerns

Fri May 26 2023

Government consults on enforcement mechanisms for animal health and welfare offences

Fri May 26 2023

Government expands legal aid eligibility

Thu May 25 2023

Council of Europe identifies serious concerns affecting minorities in the UK

Thu May 25 2023

ONS finds international migration to the UK hit new high in 2022

Thu May 25 2023

Government consults on plans to reduce reporting burdens on businesses

Wed May 24 2023

Committee report finds government not taking harms from alcohol seriously enough

Wed May 24 2023

Committee seeks views on the Digital Markets, Competition and Consumers Bill

Wed May 24 2023
Featured
A closer look at the trademark dispute between retail giants Lidl and Tesco
FeatureThu May 18 2023
A closer look at the trademark dispute between retail giants Lidl and Tesco

Angela Jack dissects the recent ruling in Lidl Great Britain Ltd & others v Tesco Stores Limited & others [2023] EWHC 873 (Ch)

The UK maternity care crisis: £5bn in avoidable damages claims
FeatureThu May 18 2023
The UK maternity care crisis: £5bn in avoidable damages claims

Billions of pounds in NHS damages claims could have been avoided had recommendations from past reviews been followed by action, argues Kerstin Scheel

Understanding Chinese underground banking and the risks
FeatureThu May 18 2023
Understanding Chinese underground banking and the risks

Laurence Howland explores the mechanisms of Chinese underground banking and the red flags

The building blocks for a successful collaborative culture
FeatureThu May 18 2023
The building blocks for a successful collaborative culture

Chris Marston explores the ways in which law firms can establish a powerful collaborative culture

SJ Interview: James Fulforth
SJ InterviewThu May 18 2023
SJ Interview: James Fulforth

The Solicitors Journal spoke to James Fulforth, Kingsley Napley’s newly appointed Senior Partner, about his experiences in the law, his thoughts on the UK’s tech sector and what he hopes to achieve in his new role

Long-awaited reports and controversial bills dominate
ForewordTue Apr 25 2023
Long-awaited reports and controversial bills dominate

Sophie Cameron takes a look at the news in the April Foreword