Our Views:
Making Cyber Security Awareness Training Engaging
Phishing and credential harvesting remain the most reported incident category in recent years, responsible for the greatest number of business compromises. Therefore, the necessity to invest in cybersecurity training and awareness initiatives has become paramount. Regular cyber training can positively influence your business cyber culture and empower your team to protect themselves and your business from social engineering attacks however, many people find cyber security dry, unapproachable and boring…gasp – yes, it’s true – even sci-fi fans are unlikely to look forward to more compulsory risk training modules added to an already full day. So, how can businesses design programmes that are engaging and encourage full participation?
Use Real-World Examples
Learning from a textbook is boring. People engage with stories. Since the origins of humanity, sharing stories (sometimes over food or fire) has allowed humans to learn. Sharing successes and failures are equally important. Telling real-world tales of how incidents have happened or nearly happened, mistakes that were made or avoided, and reflecting on how things could have gone differently allows us to engage and visualise an incident happening to us.
Use Multi-disciplinary Trainers
Teams need to find a trainer relatable to fully engage with the content. Using team members from various backgrounds can be key to ensuring messages are contextualised and understood. As cyber security is everyone’s responsibility, try using team members from multiple different areas to lead cyber training (e.g. Marketing, Human Resources, Customer Care). Each group will describe cyber and its impacts and importance in a different manner and these teams often hold great communicators.
Mix up the Medium
Rather than relying on one method to get your message across, ensure your programme involves various ways to increase awareness. For example, if you run an online phishing quiz or training video in the first quarter, then try a face-to-face presentation, Q&A or cyber simulation in the second. Posters, wallets or desk cards could be introduced in the third quarter, and a quiz run in the last.
Walk The Talk
Culture is driven from the top. Leaders need to be advocates for the training and awareness and demonstrate support by participating and caring about its ongoing success.
Make it Fun!
Make sure any messages are delivered with fun and humour! Try using rewards for both participation and as prizes.
Use your Vendors
Invite a variety of vendors that have credible content and experience to share. Just ensure the focus is not sales and remains system agnostic. Many vendors will be happy to contribute experience and stories from a wide range of industries as when security is lifted in one link in the supply chain, it makes everyone more secure.
Keep it Short (but Regular)
Keep it brief. Holding the attention of busy teams requires targeted and efficient delivery. Additionally, studies have shown that people start to forget the lessons from phishing training after about six months indicating regular refreshers are vital. Shorter but regular cyber training is recommended.
Games for the Tech Savvy
There are plenty of online games for more tech-savvy or cybersecurity focussed individuals to engage in and play to both test their skills and enhance learning. Some to try include:
- Cyber Challenge – Developed by the US Department of Defence, Cyber Challenge involves solving cyber threats and looking at roles in cyber.
- Cybersecurity Lab – A browser-based game involving cracking passwords, creating code and defeating malicious adversaries.
- Keep Tradition Secure – Involves answering a series of cybersecurity questions to track down a hacker on a college campus.
- picoCTF – Developed by Carnegie Mellon and similar to capture the flag challenges.
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 