We Need to be Trained Better
If you ask any IT professional about the onslaught of recent cyber attacks and hacks, you will eventually get to the part where you learn what's causing it all. While Russian hackers and overweight basement dwellers will be probably be brought up, what you might not hear is that these attacks succeed due to poor computer security practices by people like you and me. Both the Target data breach and the 2016 DNC Email hack happened because somebody simply clicked on an email link without thinking - scary stuff!
Somebody simply clicked on an email link without thinking!
The common response to this is to make sure that people are properly trained on how to use computers safely and securely. Except there is one problem - IT security training is usually boring and drab! If you can't get your security message across because you are using technobabble and unmotivated content, all your work will be worthless. If we are to train our staff to be good cyber citizens, we need to make sure they are properly engaged and want to take our training and learn more.
Creating Awesome IT Security Training
How do you overcome this hurdle? By creating an IT Security Awareness program that is fun, engaging, and dynamic enough so that it does not feel like a burden. The beautiful thing is, it is not nearly as hard as you would imagine! You can’t just throw a PowerPoint slide up on the Internet and call it a day, but by following these steps, you can recreate the kind of awesome experience that has been a success at my organization:
Step 1: Come up with actionable topics
Before you even begin your training program, identify the specific things you want to train on. Do you want to focus on email? Web browsing? Encryption? Malware? Come up with a list of no more than six topics you want to cover and enforce during your training regimen. For the IT Security Awareness program at Wayne State University, our actionable topics are:
- Why Does Security Matter
- Protecting Your Data
- Email Attacks
- Managing Passwords
- Today’s Web Threats
- How to Report an IT Security Incident
Step 2: Talk to topic experts to get concise and practical advice
For each of your identified topics, find someone that is knowledgeable and have them come up with a list of practical takeaways for each topic. This will focus your training for each topic so that you can give proper background, as well as items for the learner to note down and remember. For example, if you are talking about data encryption, give the specific ways, procedures, and screenshots on how you can encrypt files, flash drives, laptops and email messages. You want to showcase simple yet unique things that the learner does not already know.
Step 3: Tailor it to the culture and terminology of your organization
This is huge. How many times have you mentally tuned out training because it was obvious the presentation was so generic that you just thought it really didn't apply to you? You want your training to match your organization as much as possible. Call out actual names of departments, policies, and individuals. Use screenshots showing the programs and desktops commonly used by your audience. Name off and reference the electronic systems and servers in use – hearing things like “Academica” and “Wayne Connect” has helped Wayne State employees feel more connected and involved when learning how to stay secure.
Step 4: Offer and create multiple modes of training
You will always have people that feel like they don't need to be trained, usually giving an example like “I don’t have time”. What they mean is “Your training isn’t flexible enough to meet my needs”, so address that head on! Using the topics, takeaways, and culture you created above, come up with a few different ways your material can be delivered. This way, the employee feels vindicated that they can “pick” the option that works for them, instead of them thinking it’s a “Yes/No” decision on whether to take training. At Wayne State University, we decided to:
- Provide 90-minute in-person presentations in an auditorium, open for people to sign up and attend.
- Record a presentation for each of the six topics via Camtasia, and make them available to watch at any time.
- Create an “Advanced Placement” test covering all the topics with an 85% passing score for the people that think they already know the content.
Fun story: we decided on this approach after hearing a story from a parent who used to have trouble getting their toddler to do things, like getting in the car. The parent figured out that simply giving choices made all the difference - asking "Head first or feet first into the car?" to the toddler fixed the problem! The toddler spent their energy deciding which choice to make, forgetting their battle to go in the car to begin with. Insert “My whiny employees are toddlers” joke here at your own peril.
Step 5: Be Enthusiastic
If you are sleepy and unenthusiastic in your training, your learners will pay attention for less than a minute before tuning you out and ignoring you. Don't let this happen! Make sure to bring lots of energy to your training, whether in-person or online. I interact with the audience, tell jokes, and vary my cadence based on their feedback. In post-training surveys I have done, the most frequent comment is that the learners *loved* the enthusiasm, passion, and humor I brought to the training, and it made them not only pay attention, but want to learn more.
Step 6: Provide a Cheat Sheet
If you are teaching six topics and a bunch of key takeaways, the chances of your staff retaining all of that juicy knowledge are slim, even if you perform your training in a top hat and tap dance shoes. Make sure to create and provide a one-sheet IT security summary page that the learner can keep, reference, and post up next to their computer.
Step 7: Thank and Reward your Employees
After your learners have put in the effort to learn about all your IT security topics, make sure to thank them and reward their effort back by sending them something. I send out a paper certificate and a hand-signed letter thanking them for their effort, and the employees really appreciate it. I love walking around and seeing people who voluntarily and happily hang up their certificate with pride.
So there you go! By following these seven steps you can create an IT Security Awareness program that can actually make a difference in improving employee cyber behavior, reducing the number of hacks that happen, as well as the chance that a really nasty attack happens to your organization. Stay safe and share your results!